Nice to see the community has started discussing the security loopholes with open heart; after all it is being done with good intention to improve the product. Thanks to carlos.gonzalez7 for his blog about showing how SAI_AE_DETAILS_GET can used to find PIISUSER’s password and here I am with my findings to get password in some other way.
1. Open http://host:port/MessagingSystem
2. Check Received Messages and then the details.
3.Here you have base 64 encoded username:password in Transport Header.
4.After you decode UElJU1VTRVI6c3RhcnQyMDEw you finally get the password PIISUSER:start2010.
It means even restricting the access to SE37(FM SAI_AE_DETAILS_GET) won’t actually help and having different passwords for various service users seem only solution to be more safe and secure.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
12 | |
11 | |
7 | |
5 | |
5 | |
4 | |
4 | |
3 | |
3 | |
3 |