Skip to main content
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!
cancel
Showing results for 
Search instead for 
Did you mean: 
pljsoftware
Creator III
Creator III

QVD files store connection string in plain text!

Hi all!

I have noticed a very strange thing using QVD files... Inside the file, I can read in plain text my QlikView script, including the connection string with password!

How it can be possible?

66 Replies
pljsoftware
Creator III
Creator III
Author

S.Uhlig, please USE ENGLISH.

Miguel_Angel_Baeyens

Luca,

This messages are automatic and likely because he's some out-of-the-office auto-reply software and has subscribed to the thread, but it's auto replying without knowing. It sometimes happens and you will see more like this in the forums.

Regards,

Miguel

chriscammers
Partner - Specialist
Partner - Specialist

I think I may have figured out my strategy to increase my community points

matt_crowther
Luminary Alumni
Luminary Alumni

All,

I've just come across this thread so apologies if the following 2 points have been mentioned already:

1. The connection string and SQL Statement (if applicable) are written to the QVD even if the script originated from a Hidden Script tab, in theory meaning to get round Hidden Scripts all one needs to do is export all the tables to QVD and then rebuild from there. It wouldn't give you a complete picture but far more than is safe.

2. I previously noticed that by opening a QVW file with Section Access in a text editor about half way through the file there's a list of all the Section Access usernames in plain text. It doesn't appear as thought the passwords are there but even exposing the User details is an un-necessary risk in my view.

To confirm; we're running v10 SR3.

All the best,

Matt - Visual Analytics Ltd

flipside
Partner - Specialist II
Partner - Specialist II

Hi Matt,

On your point 2, the section access names might be due to the following:

On the issue with NTNAMEs being displayed in the QVW, this is caused by checking the document level properties setting "Filter AccessPoint Document List Based on Section Access" on the Server tab (in the document).  Sort of makes sense but can't see why it isn't encrypted.  If this is unchecked, it removes the entries when the file is saved. Probably the wise thing to do if sharing the actual document.

I can uncheck this and it doesn't make a difference to what my users see, but then I am using DMS authorization.  I don't know if it is different if using windows authentication.  Luckily I had decided to disable all document downloads from the server, otherwise the users would have potentially been able to obtain login names for my DMZ domain.

flipside

Not applicable

All,

Just a quick update on this - we are planning on releasing an update to v10 SR4 and v11 next week and are investigation doing an update for v10 SR3.

Regards

Chris Furlong

Senior Director, Product Management

pljsoftware
Creator III
Creator III
Author

Hi Chris,

good news, thanks.

Regards

Luca Jonathan Panetta

PLJ Software

fernandotoledo
Partner - Specialist
Partner - Specialist

Any news about this issue? Is there any update / release that fix it?

Best regards,

Fernando

pljsoftware
Creator III
Creator III
Author

Hi Fernando,

I saw now that is available a new release of QV 10 SR4, this is the number 9282 and I have found this bugfix on release notes.

44183 QEMC - Script - QVD generation:  If you store to a QVD, the user name and password are stored in clear text in the XML portion of the QVD

44181 QVD header lineage is not reset when all tables are droppe

I hope that it is solved.

Regards

Luca Jonathan Panetta

PLJ Software

Not applicable

Hi,

Just a quick update - we've put updated versions for v11 IR and v10 SR4 on the download site. For people using SR3 there is an update available, please contact support to obtain.

Thanks all for your patience over this issue and Happy New Year!

Futher details http://community.qlik.com/blogs/technicalbulletin/2012/01/05/qlikview-10-sr4-update-and-qlikview-11-...

Regards

Chris Furlong

Senior Director, Product Management