Hi all,
Some penetration test have been performed on our QlikView platform for an application using section access.
It has been discovered that credentials (both userid and password) appear in clear text in the IIS Logs on POST entries for /QvAjaxZfc/QvsViewClient.aspx (cf. example below)
Do you know if it's possible to avoid that on IIS side or on QlikView side ?
2015-12-15 08:28:28 1.1.1.1 POST /QvAjaxZfc/QvsViewClient.aspx mark=&host=QVS%40PREPROD&view=Human%20Ressources%2FEmployment%20Cost.qvw&userid=<toto>&password=<P@ssw0rd1>&slot=&platform=browser.MSIE%2010.&dpi=96&xrfkey=j0vP9Y6KAh0xECDx 80 <toto> 10.123.2.26 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+MS-RTC+LM+8;+Media+Center+PC+6.0;+.NET4.0C;+.NET4.0E) http://ebsmeyvqva01/QvAJAXZfc/opendoc.htm?document=Human%20Ressources%2FEmployment%20Cost.qvw&host=Q... 200 0 0 406
Regards
Xavier Macé