Can anybody please explain to me why my &IBIC_pass variable is exposed?
I'm using LDAP security (Trusted) and when I type
-TYPE &IBIC_pass
it shows me the user's LDAP password. This is happening in my DEV environment but not in production. For the life of me I can't seem to locate the config difference between the two that would allow this behavior.
Many thanks! This message has been edited. Last edited by: Yazster,
Is both your DEV and Prod on 8.1.4? Just curious. I tested it on 8.00.8 and it does not expose the password. I do have an 8.1.4 environment, but I haven't tested it.
WebFOCUS 8.1.05
July 15, 2015, 09:52 AM
Yazster
Yes both are 8.104.
I had the settings previously on 8.008 and all worked fine, no passwords were exposed. After upgrading both environments, passwords were exposed in my dev environment. No changes (to my knowledge) were made to either environment.
WebFOCUS 8.201M Windows, Linux, All Outputs
July 15, 2015, 10:33 AM
MattC
I tried it in my 8.1.4 environment, but I am not seeing it, in fact I am getting prompted or getting an error that it can't find the value, depending on where I am running it from, either MRE or RS.
I kind of wonder why you would have IBIMR_pass(PASS) set in your custom settings. That's not very secure.
We use LDAP along with SiteMinder, so anything I want to pass from LDAP, I have our LDAP admin throw it into the SM_HEADER to secure it properly. Otherwise you could have some spoofing.
By any means I am no expert.
-SET &ECHO='ALL';
-TYPE &IBIC_pass
TABLE FILE CAR
PRINT COUNTRY
END
-RUN
WebFOCUS 8.1.05
July 20, 2015, 04:36 PM
Yazster
The IBIMR_pass (PASS) statement was added by an IBI consultant when they created an initial application for us. Not really sure if/why it is required.
Removing the &IBIC_pass from the Custom Settings seems to have resolved the issue. This doesn't seem to have impacted anything negatively, I suppose time will tell