Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hi all!
I have noticed a very strange thing using QVD files... Inside the file, I can read in plain text my QlikView script, including the connection string with password!
How it can be possible?
S.Uhlig, please USE ENGLISH.
Luca,
This messages are automatic and likely because he's some out-of-the-office auto-reply software and has subscribed to the thread, but it's auto replying without knowing. It sometimes happens and you will see more like this in the forums.
Regards,
Miguel
I think I may have figured out my strategy to increase my community points
All,
I've just come across this thread so apologies if the following 2 points have been mentioned already:
1. The connection string and SQL Statement (if applicable) are written to the QVD even if the script originated from a Hidden Script tab, in theory meaning to get round Hidden Scripts all one needs to do is export all the tables to QVD and then rebuild from there. It wouldn't give you a complete picture but far more than is safe.
2. I previously noticed that by opening a QVW file with Section Access in a text editor about half way through the file there's a list of all the Section Access usernames in plain text. It doesn't appear as thought the passwords are there but even exposing the User details is an un-necessary risk in my view.
To confirm; we're running v10 SR3.
All the best,
Matt - Visual Analytics Ltd
Hi Matt,
On your point 2, the section access names might be due to the following:
On the issue with NTNAMEs being displayed in the QVW, this is caused by checking the document level properties setting "Filter AccessPoint Document List Based on Section Access" on the Server tab (in the document). Sort of makes sense but can't see why it isn't encrypted. If this is unchecked, it removes the entries when the file is saved. Probably the wise thing to do if sharing the actual document.
I can uncheck this and it doesn't make a difference to what my users see, but then I am using DMS authorization. I don't know if it is different if using windows authentication. Luckily I had decided to disable all document downloads from the server, otherwise the users would have potentially been able to obtain login names for my DMZ domain.
flipside
All,
Just a quick update on this - we are planning on releasing an update to v10 SR4 and v11 next week and are investigation doing an update for v10 SR3.
Regards
Chris Furlong
Senior Director, Product Management
Any news about this issue? Is there any update / release that fix it?
Best regards,
Fernando
Hi Fernando,
I saw now that is available a new release of QV 10 SR4, this is the number 9282 and I have found this bugfix on release notes.
44183 QEMC - Script - QVD generation: If you store to a QVD, the user name and password are stored in clear text in the XML portion of the QVD
44181 QVD header lineage is not reset when all tables are droppe
I hope that it is solved.
Regards
Luca Jonathan Panetta
Hi,
Just a quick update - we've put updated versions for v11 IR and v10 SR4 on the download site. For people using SR3 there is an update available, please contact support to obtain.
Thanks all for your patience over this issue and Happy New Year!
Futher details http://community.qlik.com/blogs/technicalbulletin/2012/01/05/qlikview-10-sr4-update-and-qlikview-11-...
Regards
Chris Furlong
Senior Director, Product Management