Another way to find piisuser’s password
Nice to see the community has started discussing the security loopholes with open heart; after all it is being done with good intention to improve the product. Thanks to Carlos Gonzalez for his blog about showing how SAI_AE_DETAILS_GET can used to find PIISUSER’s password and here I am with my findings to get password in some other way.
1. Open http://host:port/MessagingSystem
2. Check Received Messages and then the details.
3.Here you have base 64 encoded username:password in Transport Header.
4.After you decode UElJU1VTRVI6c3RhcnQyMDEw you finally get the password PIISUSER:start2010.
It means even restricting the access to SE37(FM SAI_AE_DETAILS_GET) won’t actually help and having different passwords for various service users seem only solution to be more safe and secure.
Hello,
This security hole has been closed in PI 7.3x.
Regards,
William Li
thats great.. thanks for the information Bill..
Hello,
any plans to fix older versions?
regards
Michal
I can't see base64 encoded password on PI 7.11 Sp 08. Which PI version are you on?
Regards,
Prateek Raj Srivastava
Hi Prateek,
I checked on PI 7.11 SP04 and PI 7.0 SP 14.
Regards,
Sunil Chandra
Sunil,
Nice blog,I think this was fixed after release PI711 SP04.
I checked in PI711 SP06 and don't find the encoded password.Attached screen shot for reference.
Cheers
Pavan