Skip to Content

Another way to find piisuser’s password

Nice to see the community has started discussing the security loopholes with open heart; after all it is being done with good intention to improve the product. Thanks to Carlos Gonzalez  for his blog about showing how SAI_AE_DETAILS_GET can used to find PIISUSER’s password and here I am with my findings to get password in some other way.

1. Open http://host:port/MessagingSystem

2. Check Received Messages and then the details.

/wp-content/uploads/2012/09/image001_134696.png

3.Here you have base 64 encoded username:password in Transport Header.

/wp-content/uploads/2012/09/image004_134697.png

4.After you decode UElJU1VTRVI6c3RhcnQyMDEw you finally get the password PIISUSER:start2010.


It means even restricting the access to SE37(FM SAI_AE_DETAILS_GET) won’t actually help and having different passwords for various service users seem only solution to be more safe and secure.

6 Comments
You must be Logged on to comment or reply to a post.