Book a Demo

Author Topic: Cloud Services logging bug  (Read 4767 times)

crequena

  • EA Novice
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Cloud Services logging bug
« on: May 23, 2018, 01:10:20 am »
Hi,

The Cloud Services product is logging passwords as plain text in the server logs.

Code: [Select]
2018-05-22 16:37:20 [INFO]: Added database manager - ConnectionStr:  'Provider=SQLOLEDB.1;Password=1234;Persist Security Info=True;User ID=user;Initial Catalog=db;Data Source=ds;DMAlias=db;'

This is a bug similar to Twitter's: https://www.bleepingcomputer.com/news/security/twitter-admits-recording-plaintext-passwords-in-internal-logs-just-like-github/

Will you release a new Cloud Services version correcting this?

Regards.

qwerty

  • EA Guru
  • *****
  • Posts: 13584
  • Karma: +397/-301
  • I'm no guru at all
    • View Profile
Re: Cloud Services logging bug
« Reply #1 on: May 23, 2018, 01:40:11 am »
Please send a bug report (Support section below this page)!

q.

Sunshine

  • EA Practitioner
  • ***
  • Posts: 1353
  • Karma: +121/-10
  • Its the results that count
    • View Profile
Re: Cloud Services logging bug
« Reply #2 on: May 23, 2018, 06:52:55 am »
Oooh that's not good. I'm in the process of persuading my organisation whose very risk adverse to invest in Cloud Pro Server. Maybe I'll wait a little while.
Happy to help
:)

Geert Bellekens

  • EA Guru
  • *****
  • Posts: 13523
  • Karma: +574/-33
  • Make EA work for YOU!
    • View Profile
    • Enterprise Architect Consultant and Value Added Reseller
Re: Cloud Services logging bug
« Reply #3 on: May 23, 2018, 02:29:16 pm »
When using EA without cloud server there is an option to encrypt the connection string when saving a project shortcut. This is to avoid storing the password in plain text in the shortcut file.

Maybe there is something like that for the cloud server as well?

If not, you might be able to choose windows authentication instead of an SQL server user, or don't allow to save the password in the ODBC connection.

Geert

crequena

  • EA Novice
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Cloud Services logging bug
« Reply #4 on: May 23, 2018, 05:15:33 pm »
Hi,

Thanks for your replies.

Cloud Services requires that the password is saved in the DSN: https://www.sparxsystems.de/fileadmin/user_upload/pdfs/Cloudservice/Enterprise_Architect_Cloud_Services_setup.pdf (page 12 and following).

The DSN is then logged fully.
Using Windows Authentication could be a workaround in this case, but not with other databases.

Regards.