[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
[birt-dev] RE: SECURITY ISSUE IN XML!
|
Linda, This isn't a "use" issue, it's a "design" security flaw. I believe
it really belongs to the developers, not users. Report design XML is
attached.
I have posted a bugzilla bug for this: 204939.
The data source definition works properly...password is encrypted. But
subsequent definitions do not encrypt the password.
I sent you an email with the report deisgn source XML.
Note: for security purposes, I over-typed my password with "PASSWORD" so I
could send this example to you. It really is my production iSeries
password.
This XML is built by the UI interface; it is not manuipulated by me (except
when I overwrote the ID and Password so I could send this to you).
Is there some code I can inject into the XML to encrypt my password? That
would hold me over until the security flaw is fixed.
Skip Strickland, Analyst
Information Access Group
Costco WHOLESALE
(425) 313-2521
sstrickland@xxxxxxxxxx
Linda Chan wrote:
>
> Skip,
>
> By "XML definitions", are you referring to the content in a report
> design file? I'm not able to reproduce what you'd described.
> What's the parent element of the <design:dataSourceDesign> that you'd
> listed?
> BTW, this mailing list is intended for development of the BIRT
> components. Any how-to-use question is best posted in the BIRT
> newsgroup. Please post follow up questions there, and attach a copy of
> your report design file.
>
> Regards,
> Linda
>
> ________________________________
>
> From: birt-dev-bounces@xxxxxxxxxxx on behalf of sstrickland
> Sent: Thu 9/27/2007 4:06 PM
> To: birt-dev@xxxxxxxxxxx
> Subject: [birt-dev] SECURITY ISSUE IN XML!
>
>
>
>
> I configured BIRT to access my iSeries using jdbc. In the XML
> definitions,
> my password appears in the clear (not encrypted). This is a showstopper
> for
> me.
>
> BIRT version: 2.2.1.r221_v20070924
>
>
> Can this be resolved?
>
> Skip Strickland, Analyst
> Information Access Group
> Costco WHOLESALE
> (425) 313-2521
> sstrickland@xxxxxxxxxx
>
>
>
> <design:dataSourceDesign>
> <design:name>ISERIESNAME</design:name>
>
> <design:odaExtensionId>org.eclipse.birt.report.data.oda.jdbc</design:oda
> ExtensionId>
> <design:publicProperties>
> <design:properties>
> <design:nameValue>
> <design:name>odaDriverClass</design:name>
>
> <design:value>com.ibm.as400.access.AS400JDBCDriver</design:value>
> </design:nameValue>
> </design:properties>
> <design:properties>
> <design:nameValue>
> <design:name>odaURL</design:name>
>
> <design:value>jdbc:as400://ISERIESNAME</design:value>
> </design:nameValue>
> </design:properties>
> <design:properties>
> <design:nameValue>
> <design:name>odaUser</design:name>
> <design:value>USERID</design:value>
> </design:nameValue>
> </design:properties>
> <design:properties>
> <design:nameValue>
> <design:name>odaPassword</design:name>
> <design:value>UNENCRYPTED PASSWORD</design:value>
> </design:nameValue>
> </design:properties>
> <design:properties>
> <design:nameValue>
> <design:name>odaJndiName</design:name>
> </design:nameValue>
> </design:properties>
> <design:properties>
> <design:nameValue>
> <design:name>OdaConnProfileName</design:name>
> </design:nameValue>
> </design:properties>
> <design:properties>
> <design:nameValue>
> <design:name>OdaConnProfileStorePath</design:name>
> </design:nameValue>
> </design:properties>
> </design:publicProperties>
> </design:dataSourceDesign>
>
> --
> View this message in context:
> http://www.nabble.com/SECURITY-ISSUE-IN-XML%21-tf4531404.html#a12931382
> Sent from the Eclipse BIRT - Dev mailing list archive at Nabble.com.
>
> _______________________________________________
> birt-dev mailing list
> birt-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/birt-dev
>
>
>
> _______________________________________________
> birt-dev mailing list
> birt-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/birt-dev
>
>
http://www.nabble.com/file/p13002347/IACMP.rptdesign IACMP.rptdesign
--
View this message in context: http://www.nabble.com/SECURITY-ISSUE-IN-XML%21-tf4531404.html#a13002347
Sent from the Eclipse BIRT - Dev mailing list archive at Nabble.com.