Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Introducing Qlik Answers: A plug-and-play, Generative AI powered RAG solution. READ ALL ABOUT IT!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Anonymous
Not applicable
‎2015-12-15 11:45 AM

Section Access password in IIS logs

Hi all,

Some penetration test have been performed on our QlikView platform for an application using section access.

It has been discovered that credentials (both userid and password) appear in clear text in the IIS Logs on POST entries for /QvAjaxZfc/QvsViewClient.aspx (cf. example below)

Do you know if it's possible to avoid that on IIS side or on QlikView side ?

2015-12-15 08:28:28 1.1.1.1 POST /QvAjaxZfc/QvsViewClient.aspx mark=&host=QVS%40PREPROD&view=Human%20Ressources%2FEmployment%20Cost.qvw&userid=<toto>&password=<P@ssw0rd1>&slot=&platform=browser.MSIE%2010.&dpi=96&xrfkey=j0vP9Y6KAh0xECDx 80 <toto> 10.123.2.26 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+MS-RTC+LM+8;+Media+Center+PC+6.0;+.NET4.0C;+.NET4.0E) http://ebsmeyvqva01/QvAJAXZfc/opendoc.htm?document=Human%20Ressources%2FEmployment%20Cost.qvw&host=Q... 200 0 0 406

Regards

Xavier Macé

392 Views
0 Likes
0 Replies