Skip to Content

Nice to see the community has started discussing the security loopholes with open heart; after all it is being done with good intention to improve the product. Thanks to Carlos Gonzalez  for his blog about showing how SAI_AE_DETAILS_GET can used to find PIISUSER’s password and here I am with my findings to get password in some other way.

1. Open http://host:port/MessagingSystem

2. Check Received Messages and then the details.

/wp-content/uploads/2012/09/image001_134696.png

3.Here you have base 64 encoded username:password in Transport Header.

/wp-content/uploads/2012/09/image004_134697.png

4.After you decode UElJU1VTRVI6c3RhcnQyMDEw you finally get the password PIISUSER:start2010.


It means even restricting the access to SE37(FM SAI_AE_DETAILS_GET) won’t actually help and having different passwords for various service users seem only solution to be more safe and secure.

To report this post you need to login first.

6 Comments

You must be Logged on to comment or reply to a post.

  1. Pavan kumar

    PI711SP6.jpg

    Sunil,

    Nice blog,I think this was fixed after release PI711 SP04.

    I checked in PI711 SP06 and don’t find the encoded password.Attached screen shot for reference.

    Cheers

    Pavan

    (0) 

Leave a Reply