This question was originally posted on DCIM Support by Garry Priestland on 2017-08-15
I discovered to day that the windows backup share setting dialog allows you to screen scrape the password of the user. Not good since this is often the users windows / domain password.
FYI I used AsteriskKey to get the passwords.
The same is true for every password / sensitive field in the dialog boxes that are used to set up / edit an SNMP config template.
Version of DCE is 7.4.3
Thought it best to not post this publicly...
This answer was originally posted on DCIM Support by Steven Marchetti on 2017-08-15
I can and will forward this to engineering. You've tested this on previously saved screens and not something you just entered correct?
This comment was originally posted on DCIM Support by Garry Priestland on 2017-08-15
I tested it today on several dialog boxes in the SNMP template creation and editing, and was also able to find out a colleagues laptop password from the Backup screen. I knew it used to be possible for all users on DCE but this got corrected at version 7.4+?
The clue was that the field lengths were shorter (less asterisks were displayed) than normal since the 7.4+ update. The screen scraper returns DEFAULT_PASSWORD on 'protected' password fields which is actually displayed as **************** - 16 asterisks as there are 16 chars in "DEFAULT_PASSWORD"
An example today also was that I was able to scrape the passwords from NMC that had their credentials changed using a saved SNMP config template. Actually very useful 😀 arguably not secure. Truth is I can't do any of this unless I have the DCE server Administrative access anyway, so is it that insecure?
The image above is an example of what I mean, (but is not the one I did today)
This comment was originally posted on DCIM Support by Steven Marchetti on 2017-08-16
Yea, looks like they fixed it at least in 7.4.3. I tried and as long as I save and go back to the dialog, I just see default_password too:
This comment was originally posted on DCIM Support by Garry Priestland on 2017-08-21
Hi Steve - I was on another site on Thursday and managed to get the customers share password from their backup config using this same method. I had not set up this backup or logged into this server locally before until Thursday and the server is on V7.4.3.
I have no idea why we are getting what appears to be different behaviour. The only thing I can think of is that the Servers I was connected to were all upgraded from previous versions. Was the one you were using a clean install at 7.4.3 or was it upgraded too?
This comment was originally posted on DCIM Support by Steven Marchetti on 2017-08-21
I think it may have been a restore. Do you know what version(s) of java they have on their system?
This comment was originally posted on DCIM Support by Steven Marchetti on 2017-08-22
Did you find out anything more about the customer's client....any other versions of Java? After requesting that kind of info I thought more about your suggestion about it being a system that has been updated multiple times vs something that has been recently restored. I'm thinking that really should't matter. You're not capturing anything from the server, you're pulling the data from the client. The client should pull any required data regardless of the server. An install of the client on a fresh system should be able to tell.
Discuss challenges and get support in energy and automation with 30,000+ experts and peers.
Over 10,000+ support articles are available to help you find answers to your product and business challenges.
Find peer based solutions to your questions. Provide answers for fellow community members!