0 Replies Latest reply: Dec 15, 2015 11:45 AM by Xavier Macé RSS

    Section Access password in IIS logs

    Xavier Macé

      Hi all,

       

      Some penetration test have been performed on our QlikView platform for an application using section access.

      It has been discovered that credentials (both userid and password) appear in clear text in the IIS Logs on POST entries for /QvAjaxZfc/QvsViewClient.aspx (cf. example below)

       

      Do you know if it's possible to avoid that on IIS side or on QlikView side ?

       

      2015-12-15 08:28:28 1.1.1.1 POST /QvAjaxZfc/QvsViewClient.aspx mark=&host=QVS%40PREPROD&view=Human%20Ressources%2FEmployment%20Cost.qvw&userid=<toto>&password=<P@ssw0rd1>&slot=&platform=browser.MSIE%2010.&dpi=96&xrfkey=j0vP9Y6KAh0xECDx 80 <toto> 10.123.2.26 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+MS-RTC+LM+8;+Media+Center+PC+6.0;+.NET4.0C;+.NET4.0E) http://ebsmeyvqva01/QvAJAXZfc/opendoc.htm?document=Human%20Ressources%2FEmployment%20Cost.qvw&host=QVS%40PREPROD 200 0 0 406

       

      Regards

      Xavier Macé