Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[birt-dev] RE: SECURITY ISSUE IN XML!

Linda,  This isn't a "use" issue, it's a "design" security flaw.    I believe
it really belongs to the developers, not users.  Report design XML is
attached.
 
I have posted a bugzilla bug for this:  204939.
 
The data source definition works properly...password is encrypted.  But
subsequent definitions do not encrypt the password.

I sent you an email with the report deisgn source XML.

Note:  for security purposes, I over-typed my password with "PASSWORD" so I
could send this example to you.  It really is my production iSeries
password.
 
 
 
 
This XML is built by the UI interface; it is not manuipulated by me (except
when I overwrote the ID and Password so I could send this to you).
 
Is there some code I can inject into the XML to encrypt my password?  That
would hold me over until the security flaw is fixed.
 


Skip Strickland, Analyst 
Information Access Group 
Costco WHOLESALE 
(425) 313-2521 
sstrickland@xxxxxxxxxx 

 





Linda Chan wrote:
> 
> Skip,
>  
> By "XML definitions", are you referring to the content in a report
> design file?  I'm not able to reproduce what you'd described.  
> What's the parent element of the  <design:dataSourceDesign> that you'd
> listed?   
> BTW, this mailing list is intended for development of the BIRT
> components.  Any how-to-use question is best posted in the BIRT
> newsgroup.  Please post follow up questions there, and attach a copy of
> your report design file.
>  
> Regards,
> Linda
> 
> ________________________________
> 
> From: birt-dev-bounces@xxxxxxxxxxx on behalf of sstrickland
> Sent: Thu 9/27/2007 4:06 PM
> To: birt-dev@xxxxxxxxxxx
> Subject: [birt-dev] SECURITY ISSUE IN XML!
> 
> 
> 
> 
> I configured BIRT to access my iSeries using jdbc.  In the XML
> definitions,
> my password appears in the clear (not encrypted).  This is a showstopper
> for
> me.
> 
> BIRT version:  2.2.1.r221_v20070924
> 
> 
> Can this be resolved?
> 
> Skip Strickland, Analyst
> Information Access Group
> Costco WHOLESALE
> (425) 313-2521
> sstrickland@xxxxxxxxxx
> 
> 
> 
>               <design:dataSourceDesign>
>                 <design:name>ISERIESNAME</design:name>
>               
> <design:odaExtensionId>org.eclipse.birt.report.data.oda.jdbc</design:oda
> ExtensionId>
>                 <design:publicProperties>
>                   <design:properties>
>                     <design:nameValue>
>                       <design:name>odaDriverClass</design:name>
>                     
> <design:value>com.ibm.as400.access.AS400JDBCDriver</design:value>
>                     </design:nameValue>
>                   </design:properties>
>                   <design:properties>
>                     <design:nameValue>
>                       <design:name>odaURL</design:name>
>  
> <design:value>jdbc:as400://ISERIESNAME</design:value>
>                     </design:nameValue>
>                   </design:properties>
>                   <design:properties>
>                     <design:nameValue>
>                       <design:name>odaUser</design:name>
>                       <design:value>USERID</design:value>
>                     </design:nameValue>
>                   </design:properties>
>                   <design:properties>
>                     <design:nameValue>
>                       <design:name>odaPassword</design:name>
>                       <design:value>UNENCRYPTED PASSWORD</design:value>
>                     </design:nameValue>
>                   </design:properties>
>                   <design:properties>
>                     <design:nameValue>
>                       <design:name>odaJndiName</design:name>
>                     </design:nameValue>
>                   </design:properties>
>                   <design:properties>
>                     <design:nameValue>
>                       <design:name>OdaConnProfileName</design:name>
>                     </design:nameValue>
>                   </design:properties>
>                   <design:properties>
>                     <design:nameValue>
>                       <design:name>OdaConnProfileStorePath</design:name>
>                     </design:nameValue>
>                   </design:properties>
>                 </design:publicProperties>
>               </design:dataSourceDesign>
> 
> --
> View this message in context:
> http://www.nabble.com/SECURITY-ISSUE-IN-XML%21-tf4531404.html#a12931382
> Sent from the Eclipse BIRT - Dev mailing list archive at Nabble.com.
> 
> _______________________________________________
> birt-dev mailing list
> birt-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/birt-dev
> 
> 
> 
> _______________________________________________
> birt-dev mailing list
> birt-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/birt-dev
> 
> 
http://www.nabble.com/file/p13002347/IACMP.rptdesign IACMP.rptdesign 
-- 
View this message in context: http://www.nabble.com/SECURITY-ISSUE-IN-XML%21-tf4531404.html#a13002347
Sent from the Eclipse BIRT - Dev mailing list archive at Nabble.com.



Back to the top