I just got a request from sysaid support to send them some logs using the Avatar > About > Download log file function.
I checked the resulting zip file to find it is full of configuration files which in turn are full of credentials with passwords.
tomcat\server.xml
Clear text password for your SSL certificate if you are using sysaid with HTTPS and its location on the server
WEB-INF\conf\serverConf.xml
Sysaid encrypted password for your Database user and SQL server name - lazy/inexperienced will use the sa user
Clear text password for domain user domain controller name if you are using Single sign on. - lazy/inexperienced people will use domain\administrator here
MD5 encrypted password of SMS Gateway - google will crack this for you
WEB-INF\conf\accountConf-accountname-YYYY-MM-DD-....xml
Sysaid encrypted passwords and domain controller of LDAP integration - Lazy people will use domain\administrator here
Sysaid encrypted passwords and server names of Mailbox for email integration
Clear text password for domain user domain controller name if you are using Single sign on. - lazy/inexperienced people will use domain\administrator here
Sysaid encrypted passwords and server names of Mailbox for Calendar Sync - this user has access to exchange calender - lazy/inexperienced people will use domain\administrator here
So if you are a bit lazy do not sanitise this zip file before sending it by email to sysaid support, you are potentially sending the following over the internet for everyone and the NSA and friends:
sa password of Database server
domain admin password
ssl cert key
OWA url
I checked the resulting zip file to find it is full of configuration files which in turn are full of credentials with passwords.
tomcat\server.xml
Clear text password for your SSL certificate if you are using sysaid with HTTPS and its location on the server
WEB-INF\conf\serverConf.xml
Sysaid encrypted password for your Database user and SQL server name - lazy/inexperienced will use the sa user
Clear text password for domain user domain controller name if you are using Single sign on. - lazy/inexperienced people will use domain\administrator here
MD5 encrypted password of SMS Gateway - google will crack this for you
WEB-INF\conf\accountConf-accountname-YYYY-MM-DD-....xml
Sysaid encrypted passwords and domain controller of LDAP integration - Lazy people will use domain\administrator here
Sysaid encrypted passwords and server names of Mailbox for email integration
Clear text password for domain user domain controller name if you are using Single sign on. - lazy/inexperienced people will use domain\administrator here
Sysaid encrypted passwords and server names of Mailbox for Calendar Sync - this user has access to exchange calender - lazy/inexperienced people will use domain\administrator here
So if you are a bit lazy do not sanitise this zip file before sending it by email to sysaid support, you are potentially sending the following over the internet for everyone and the NSA and friends:
sa password of Database server
domain admin password
ssl cert key
OWA url
