Qlik Community

Knowledge

Search or browse our knowledge base to find answers to your questions ranging from account questions to troubleshooting error messages. The content is curated and updated by our global Support team

Announcements
Join us for live office hours! Q&A with Qlik on Dec 14 at 10am EST: Refining Reports and Visualizations

"Open URL" and "Launch" disabled for document sheet buttons in latest QlikView Plugin releases

Sonja_Bauernfeind
Digital Support
Digital Support

"Open URL" and "Launch" disabled for document sheet buttons in latest QlikView Plugin releases

A document sheet can have buttons, which in turn can have associated Actions. 

These Actions can be of several types, but there are two in particular which have been disabled in the Internet Explorer Plugin due to security concerns:

  • Launch
  • Open URL

buttons.png

 

See QV-20715: Remote Code Execution RCE. QvPlugin IE for QCS 

To benefit from the security fixes the Internet Explorer plugin need to be updated.

After an update, the disabled features can be re-enabled (not recommended). 

Environment:

QlikView April 2020 12.50 SR1
QlikView April 2019 12.40 SR4
QlikView November 2018 12.30 SR5
QlikView November 2017 12.20 SR11
QlikView 11.20 SR21

 

Resolution

Labels (1)
Comments
peterwh
Creator
Creator

Hello,

Is there any other option to get this functionality back (starting a external program) without the setting mentioned in this post (but with security hints for the user for example)?

Kind regards
Peter Hübschen

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @peterwh 

Once the Plugin and/or Desktop have been upgraded with the fix, regaining the functionality will require the documented workaround. 

Kind Regards, 

Sonja 

peterwh
Creator
Creator

Hello @Sonja_Bauernfeind ,

I've encountered another problem with this patch. We're using  a straight table chart in all of our dashboards to link to the dashboard documentations, which are hosted on a (internal) wiki-site. This doesn't work anymore.

It's not button related but I think in the background the same procedure is called. I think it would be useful if this information was provided too.

But I think Qlik should reconsider this patch, because useful use cases are broken - in my opinion.

Kind regards,

Peter Hübschen

peterwh
Creator
Creator

"meta_Doku_Link" is like "<url>http://...""meta_Doku_Link" is like "<url>http://..."

glacoste
Creator
Creator

@Sonja_Bauernfeind  Could you detail what are the "security risks" of including a controlled link in a QlikView panel? It is a basic feature that any program should support, please detail.

peterwh
Creator
Creator

Hello @glacoste ,

after all what I've read and what the fix does whose provided by Qlik, I think the security risk is a global one.

I think the set-up is something like this:
If you open a QlikView-dashboard from a foreign site with Internet Explorer in plugin-mode, there could be a link to a website with malware or behind a button is a execution of a malware program, to gain access to your local system. ActiveX and Internet Explorer was never a truly secure combination.

It's too bad that Qlik simply cut off this functionality. I would find it better if you could define secure site-addresses where this functionality is still working (like a intranet-sites) and if a site is not on this list there would be a warning message, that this functionality is not availaible or something.

Kind regards

Peter

Sonja_Bauernfeind
Digital Support
Digital Support

@glacoste @peterwh summarized this nicely! I checked with our Product Team to confirm 🙂

As for the functionality having been switched off and the suggestion that you raised, @peterwh: These are great suggestions! I'd recommend that you hop over to our Ideas forum and leave this feedback there as an idea/Feature Request. This will help our developers understand use cases and highlights your needs as a customer. 

 https://community.qlik.com/t5/Ideas/idb-p/qlik-ideas

 

rva_heldendaten
Partner
Partner

HI!

I just checked with the latest QV12.50SR2 Release and hyperlinks in tables are disabled.

 

Here a screenshot how an enduser can change it back to the old behavior manually.

rva_heldendaten_0-1601623504072.png

 

 

peterwh
Creator
Creator

Hi,

but if you do that the security fix is disabled! As I said it's bad that all hyperlinks are disabled, if you want to use the security fix.

Kind regards
Peter

rva_heldendaten
Partner
Partner

@peterwh : Totally agree. But I can't change the current release. Therefore I posted the screenshot - may it help some enduser. At least you don't have to edit it manually in some settings.ini

 

 

Version history
Last update:
‎2020-09-24 07:14 AM
Updated by:
Contributors