[prev in list] [next in list] [prev in thread] [next in thread] 

List:       odtug-webdev-l
Subject:    Re: User, Pass, DB appears in html report parameter form when calling
From:       Fernando Rey <frey () tilsor ! com ! uy>
Date:       2002-07-24 19:36:21
[Download RAW message or body]

Yes,
we have already proposed this approach.
Edit CGICMD.DAT, include all info of users, pass, db and
give only read Unix Operating Systems privileges on this to the system
administrator user....
Regards,
Fernando

Iftikhar Ali wrote:

> Edit CGICMD.DAT to hide your username and password. This file is available
> under ..\REPORTS60\SERVER.
> or
> Use Run_report_object instead of a direct URL!
>
> Regards
> Ifti
>
> Fernando Rey wrote:
>
> > Hi,
> > A customer of us was migrating lots of Developer1.3.2 applications to
> > Developer6i.
> > They are planning to web-deploy their applications using Forms Server...
> >
> > RUN_PRODUCT calls have been replaced by RUN_REPORT_OBJECT calls in
> > combination with WEB.SHOW_DOCUMENT...
> >
> > They are using:
> >
> > DESFORMAT=PDF
> > DESTYPE=CACHE
> > tolerance=0
> >
> > Other information:
> >
> > - connect mode being used : HTTP
> > - using Jinitiator
> > -web deployment method used:  CGI
> >
> > The problem is:
> >
> > When you call a report from a web form using this scheme.
> > the user, password and connect string information appears in the page
> > source of the HTML report parameter form.
> > The page source obviously can be edited in the browser.
> >
> > A similar problem occurs when the reports is called standalones via URL
> > passing user info.
> >
> > This is inaceptable in terms of security.
> >
> > Any idea to avoid this problem ?
> >
> > Thanks in advance,
> > Fernando
> > Thanks to everyone for making ODTUG 2002 a great success!  Plan now
> > for next year's conference: Loews Miami Beach, Florida, June 22-27, 2003.
> > --
> > Author: Fernando Rey
> >   INET: frey@tilsor.com.uy
> >
> > Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
> > San Diego, California        -- Public Internet access / Mailing Lists
> > --------------------------------------------------------------------
> > To REMOVE yourself from this mailing list, send an E-Mail message
> > to: ListGuru@fatcity.com (note EXACT spelling of 'ListGuru') and in
> > the message BODY, include a line containing: UNSUB ODTUG-WEBDEV-L
> > (or the name of mailing list you want to be removed from).  You may
> > also send the HELP command for other information (like subscribing).
>
> Thanks to everyone for making ODTUG 2002 a great success!  Plan now
> for next year's conference: Loews Miami Beach, Florida, June 22-27, 2003.
> --
> Author: Iftikhar Ali
>   INET: Iftikhar.Ali@noaa.gov
>
> Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
> San Diego, California        -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru@fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ODTUG-WEBDEV-L
> (or the name of mailing list you want to be removed from).  You may
> also send the HELP command for other information (like subscribing).

Thanks to everyone for making ODTUG 2002 a great success!  Plan now
for next year's conference: Loews Miami Beach, Florida, June 22-27, 2003.
-- 
Author: Fernando Rey
  INET: frey@tilsor.com.uy

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru@fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ODTUG-WEBDEV-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
[prev in list] [next in list] [prev in thread] [next in thread]