WORKTERRAProject Type: software

WORKTERRA

Uploaded image for project: 'WORKTERRA'
  1. WORKTERRA
  2. WT-1514

PASSWORD RETURNED IN SERVER RESPONSE

    Details

    • Type: Enhancement
    • Status: Closed
    • Priority: Medium
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 1.0
    • Component/s: BenAdmin
    • Labels:
      None
    • Module:
      BenAdmin - Security
    • Reported by:
      Support
    • Item State:
      Production Complete
    • Sprint:
      WT Sprint 1

      Description

      Pretorian reported an issue that password is returning is server response is potential threat to system.

      The user’s password is returned in the response from the server when an administrator creates an account for a new employee
      By sending a user password as a response during account registration, WORKTERRA increases the possibility of the password being sniffed on the wire, or compromised via local workstation access.
      When registering a new employee, the employee's default password was displayed to the registrar.

      Ideally we should not display password to administrator.

      We need to find out all possible locations in System where we are sending password to client side.

      Possible solution for this is to remove add employee popup which displays credentials.
      Configuration flag should decide whether we need to display newly added employee password in alert or not.

        Attachments

        1. Add_Employee_Enhancement.doc
          81 kB
        2. Admin login.png
          Admin login.png
          179 kB
        3. Disply password flag settings.png
          Disply password flag settings.png
          176 kB
        4. Employee credencials.png
          Employee credencials.png
          173 kB
        5. Password credencial for SEO Module.png
          Password credencial for SEO Module.png
          178 kB
        6. Password Enhancement.xls
          18 kB

          Activity

          Ascending order - Click to sort in descending order
          14 older comments
          Hide
          Permalink
          deepalit Deepali Tidke (Inactive) added a comment -

          Foe SEO also it is checked. ready for production.

          Show
          deepalit Deepali Tidke (Inactive) added a comment - Foe SEO also it is checked. ready for production.
          Hide
          Permalink
          deepalit Deepali Tidke (Inactive) added a comment -

          kindly check this on production

          Show
          deepalit Deepali Tidke (Inactive) added a comment - kindly check this on production
          Hide
          Permalink
          kunal.kedari Kunal Kedari (Inactive) added a comment -

          We have verified the enhancement on Production for BenAdmin & Recruit module, working as expected.

          Show
          kunal.kedari Kunal Kedari (Inactive) added a comment - We have verified the enhancement on Production for BenAdmin & Recruit module, working as expected.
          Hide
          Permalink
          kunal.kedari Kunal Kedari (Inactive) added a comment - - edited

          This is deployed and verified on production.

          Show
          kunal.kedari Kunal Kedari (Inactive) added a comment - - edited This is deployed and verified on production.
          Hide
          Permalink
          satyap Satya added a comment -

          This fix has been done as part of Security testing points reported from Praetorian.

          Show
          satyap Satya added a comment - This fix has been done as part of Security testing points reported from Praetorian.

            People

            Assignee:
            jennifer.leugers Jennifer Leugers
            Reporter:
            vijayendra Vijayendra Shinde (Inactive)
            Account Executive:
            David Rhodes (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: