Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
See why Qlik is a Leader in the 2024 Gartner® Magic Quadrant™ for Analytics & BI Platforms. Download Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Anonymous
Not applicable
‎2015-12-15 11:45 AM

Section Access password in IIS logs

Hi all,

Some penetration test have been performed on our QlikView platform for an application using section access.

It has been discovered that credentials (both userid and password) appear in clear text in the IIS Logs on POST entries for /QvAjaxZfc/QvsViewClient.aspx (cf. example below)

Do you know if it's possible to avoid that on IIS side or on QlikView side ?

2015-12-15 08:28:28 1.1.1.1 POST /QvAjaxZfc/QvsViewClient.aspx mark=&host=QVS%40PREPROD&view=Human%20Ressources%2FEmployment%20Cost.qvw&userid=<toto>&password=<P@ssw0rd1>&slot=&platform=browser.MSIE%2010.&dpi=96&xrfkey=j0vP9Y6KAh0xECDx 80 <toto> 10.123.2.26 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+MS-RTC+LM+8;+Media+Center+PC+6.0;+.NET4.0C;+.NET4.0E) http://ebsmeyvqva01/QvAJAXZfc/opendoc.htm?document=Human%20Ressources%2FEmployment%20Cost.qvw&host=Q... 200 0 0 406

Regards

Xavier Macé

376 Views
0 Likes
0 Replies