Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
NEW Customer Portal: Initial launch will improve how you submit Support Cases. FIND OUT MORE
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Anonymous
Not applicable
‎2015-12-15 11:45 AM

Section Access password in IIS logs

Hi all,

Some penetration test have been performed on our QlikView platform for an application using section access.

It has been discovered that credentials (both userid and password) appear in clear text in the IIS Logs on POST entries for /QvAjaxZfc/QvsViewClient.aspx (cf. example below)

Do you know if it's possible to avoid that on IIS side or on QlikView side ?

2015-12-15 08:28:28 1.1.1.1 POST /QvAjaxZfc/QvsViewClient.aspx mark=&host=QVS%40PREPROD&view=Human%20Ressources%2FEmployment%20Cost.qvw&userid=<toto>&password=<P@ssw0rd1>&slot=&platform=browser.MSIE%2010.&dpi=96&xrfkey=j0vP9Y6KAh0xECDx 80 <toto> 10.123.2.26 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+MS-RTC+LM+8;+Media+Center+PC+6.0;+.NET4.0C;+.NET4.0E) http://ebsmeyvqva01/QvAJAXZfc/opendoc.htm?document=Human%20Ressources%2FEmployment%20Cost.qvw&host=Q... 200 0 0 406

Regards

Xavier Macé

383 Views
0 Likes
0 Replies