Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
RE: [birt-dev] RE: SECURITY ISSUE IN XML! 
Bug reporting is indeed best done using Bugzilla.  Please see my
investigation notes in the bug 204939.

Linda

-----Original Message-----
From: birt-dev-bounces@xxxxxxxxxxx [mailto:birt-dev-bounces@xxxxxxxxxxx]
On Behalf Of sstrickland
Sent: Tuesday, October 02, 2007 9:40 AM
To: birt-dev@xxxxxxxxxxx
Subject: [birt-dev] RE: SECURITY ISSUE IN XML!


Linda,  This isn't a "use" issue, it's a "design" security flaw.    I
believe
it really belongs to the developers, not users.  Report design XML is
attached.
 
I have posted a bugzilla bug for this:  204939.
 
The data source definition works properly...password is encrypted.  But
subsequent definitions do not encrypt the password.

I sent you an email with the report deisgn source XML.

Note:  for security purposes, I over-typed my password with "PASSWORD"
so I could send this example to you.  It really is my production iSeries
password.
 
 
 
 
This XML is built by the UI interface; it is not manuipulated by me
(except when I overwrote the ID and Password so I could send this to
you).
 
Is there some code I can inject into the XML to encrypt my password?
That would hold me over until the security flaw is fixed.
 


Skip Strickland, Analyst
Information Access Group
Costco WHOLESALE
(425) 313-2521
sstrickland@xxxxxxxxxx 

 





Linda Chan wrote:
> 
> Skip,
>  
> By "XML definitions", are you referring to the content in a report 
> design file?  I'm not able to reproduce what you'd described.
> What's the parent element of the  <design:dataSourceDesign> that you'd
> listed?   
> BTW, this mailing list is intended for development of the BIRT 
> components.  Any how-to-use question is best posted in the BIRT 
> newsgroup.  Please post follow up questions there, and attach a copy 
> of your report design file.
>  
> Regards,
> Linda
> 
> ________________________________
> 
> From: birt-dev-bounces@xxxxxxxxxxx on behalf of sstrickland
> Sent: Thu 9/27/2007 4:06 PM
> To: birt-dev@xxxxxxxxxxx
> Subject: [birt-dev] SECURITY ISSUE IN XML!
> 
> 
> 
> 
> I configured BIRT to access my iSeries using jdbc.  In the XML 
> definitions, my password appears in the clear (not encrypted).  This 
> is a showstopper for me.
> 
> BIRT version:  2.2.1.r221_v20070924
> 
> 
> Can this be resolved?
> 
> Skip Strickland, Analyst
> Information Access Group
> Costco WHOLESALE
> (425) 313-2521
> sstrickland@xxxxxxxxxx
> 
> 
> 
>               <design:dataSourceDesign>
>                 <design:name>ISERIESNAME</design:name>
>               
> <design:odaExtensionId>org.eclipse.birt.report.data.oda.jdbc</design:o
> da
> ExtensionId>
>                 <design:publicProperties>
>                   <design:properties>
>                     <design:nameValue>
>                       <design:name>odaDriverClass</design:name>
>                     
> <design:value>com.ibm.as400.access.AS400JDBCDriver</design:value>
>                     </design:nameValue>
>                   </design:properties>
>                   <design:properties>
>                     <design:nameValue>
>                       <design:name>odaURL</design:name>
>  
> <design:value>jdbc:as400://ISERIESNAME</design:value>
>                     </design:nameValue>
>                   </design:properties>
>                   <design:properties>
>                     <design:nameValue>
>                       <design:name>odaUser</design:name>
>                       <design:value>USERID</design:value>
>                     </design:nameValue>
>                   </design:properties>
>                   <design:properties>
>                     <design:nameValue>
>                       <design:name>odaPassword</design:name>
>                       <design:value>UNENCRYPTED
PASSWORD</design:value>
>                     </design:nameValue>
>                   </design:properties>
>                   <design:properties>
>                     <design:nameValue>
>                       <design:name>odaJndiName</design:name>
>                     </design:nameValue>
>                   </design:properties>
>                   <design:properties>
>                     <design:nameValue>
>                       <design:name>OdaConnProfileName</design:name>
>                     </design:nameValue>
>                   </design:properties>
>                   <design:properties>
>                     <design:nameValue>
>
<design:name>OdaConnProfileStorePath</design:name>
>                     </design:nameValue>
>                   </design:properties>
>                 </design:publicProperties>
>               </design:dataSourceDesign>
> 
> --
> View this message in context:
> http://www.nabble.com/SECURITY-ISSUE-IN-XML%21-tf4531404.html#a1293138
> 2 Sent from the Eclipse BIRT - Dev mailing list archive at Nabble.com.
> 
> _______________________________________________
> birt-dev mailing list
> birt-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/birt-dev
> 
> 
> 
> _______________________________________________
> birt-dev mailing list
> birt-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/birt-dev
> 
> 
http://www.nabble.com/file/p13002347/IACMP.rptdesign IACMP.rptdesign
--
View this message in context:
http://www.nabble.com/SECURITY-ISSUE-IN-XML%21-tf4531404.html#a13002347
Sent from the Eclipse BIRT - Dev mailing list archive at Nabble.com.

_______________________________________________
birt-dev mailing list
birt-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/birt-dev

Back to the top