All your password are belong to us

 
Author
Message
SysAider
40
 
I just got a request from sysaid support to send them some logs using the Avatar > About > Download log file function.

I checked the resulting zip file to find it is full of configuration files which in turn are full of credentials with passwords.

tomcat\server.xml
Clear text password for your SSL certificate if you are using sysaid with HTTPS and its location on the server


WEB-INF\conf\serverConf.xml

Sysaid encrypted password for your Database user and SQL server name - lazy/inexperienced will use the sa user
Clear text password for domain user domain controller name if you are using Single sign on. - lazy/inexperienced people will use domain\administrator here
MD5 encrypted password of SMS Gateway - google will crack this for you

WEB-INF\conf\accountConf-accountname-YYYY-MM-DD-....xml
Sysaid encrypted passwords and domain controller of LDAP integration - Lazy people will use domain\administrator here
Sysaid encrypted passwords and server names of Mailbox for email integration
Clear text password for domain user domain controller name if you are using Single sign on. - lazy/inexperienced people will use domain\administrator here
Sysaid encrypted passwords and server names of Mailbox for Calendar Sync - this user has access to exchange calender - lazy/inexperienced people will use domain\administrator here

So if you are a bit lazy do not sanitise this zip file before sending it by email to sysaid support, you are potentially sending the following over the internet for everyone and the NSA and friends:
sa password of Database server
domain admin password
ssl cert key
OWA url





Former Community Manager
978
 
Thank you Spastibus. This is good advice in general and I'll be passing this onto Sarah, R&D and Customer Relations so we keep with the safest security practices.

Michael
Former Community Manager
978
 
Hello Everyone,

We do take security at SysAid very seriously, and I'd like to once again thank Spastibus for the informative post. To minimize risk, our Customer Relations team will now be asking for the logs to be attached to service requests through the SysAid End User Portal using a https connection. Also, our R&D team has been tasked with improving how account information is encrypted to ensure that the sensitive account information is kept as secure as possible.

Thank you.

Michael