Medium Pretorian reported an issue that password is returning is server response is potential threat to system.
The user’s password is returned in the response from the server when an administrator creates an account for a new employee
By sending a user password as a response during account registration, WORKTERRA increases the possibility of the password being sniffed on the wire, or compromised via local workstation access.
When registering a new employee, the employee's default password was displayed to the registrar.
Ideally we should not display password to administrator.
We need to find out all possible locations in System where we are sending password to client side.
Possible solution for this is to remove add employee popup which displays credentials.
Configuration flag should decide whether we need to display newly added employee password in alert or not.
| Field | Original Value | New Value |
|---|---|---|
| Status | New Request [ 10029 ] | Pending for Approval [ 10002 ] |
| Status | Pending for Approval [ 10002 ] | Approved for Development [ 10003 ] |
| Assignee | Vijayendra Shinde [ ID10506 ] |
| Assignee | Vijayendra Shinde [ ID10506 ] | Swapnil Pandhare [ swapnil.pandhare ] |
| Status | Approved for Development [ 10003 ] | In Development [ 10007 ] |
| Item State | Parent values: Development(10200)Level 1 values: Development Backlog(10205) |
| Item State | Parent values: Development(10200)Level 1 values: Development Backlog(10205) | Parent values: Development(10200)Level 1 values: In Analysis(10204) |
In analysis. We will share ETA by tomorrow.
| Attachment | Add_Employee_Enhancement.doc [ 14049 ] |
Hi Vijayendra Shinde ,
Can you please verify analysis document for this if it addresses the requirement ?
Thanks,
Hi Swapnil,
Document looks good to me. You can proceed with development for this. Please make sure we are adding flag in relevant section on Security page.
Thanks.
Due to short of bandwidth , we are keeping this enhancement on Hold.
| Item State | Parent values: Development(10200)Level 1 values: In Analysis(10204) | Parent values: Development(10200)Level 1 values: On Hold(10207) |
| Dev Estimates | 24 |
| QA Estimates | 12 |
| Fix Version/s | 1.0 [ 10000 ] |
Hi Chaitali,
We will start with this enhancement today.
| Assignee | Swapnil Pandhare [ swapnil.pandhare ] | Chaitali Acharya [ chaitali.acharya ] |
| Issue Type | Change Request [ 10002 ] | Enhancement [ 4 ] |
| Issue Type | Enhancement [ 4 ] | Change Request [ 10002 ] |
| Status | In Development [ 10007 ] | Local Testing [ 10200 ] |
| Status | Local Testing [ 10200 ] | Reopen in Local [ 10018 ] |
| Status | Reopen in Local [ 10018 ] | In Development [ 10007 ] |
Started with the enhancement today.
| Account Executive | David Rhodes [Administrator] [ admin ] |
Code related changes are committed on LB
DB Script changes are yet to be deployed on LB .It will be deployed on LB tomorrow.
So will change the status accordingly tomorrow.
| Issue Type | Change Request [ 10002 ] | Enhancement [ 4 ] |
| Issue Type | Enhancement [ 4 ] | Change Request [ 10002 ] |
| Issue Type | Change Request [ 10002 ] | Enhancement [ 4 ] |
| Item State | Parent values: Development(10200)Level 1 values: On Hold(10207) | Parent values: LB QA(10201) |
| Status | In Development [ 10007 ] | Local Testing [ 10200 ] |
| Assignee | Chaitali Acharya [ chaitali.acharya ] | Deepali Tidke [ deepalit ] |
Deepali Tidke
This is deployed on LB.
| Assignee | Deepali Tidke [ deepalit ] | Venkatesh Pujari [ venkatesh.pujari ] |
| Attachment | Password Enhancement.xls [ 15315 ] |
Please note that if the employee is not given any email address while adding him into the system the credentials will not be sent to anyone(employee nor admin).
| Sprint | WT Sprint 1 [ 6 ] |
| Rank | Ranked higher |
| Item State | Parent values: LB QA(10201) | Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) |
| Rank | Ranked higher |
| Status | Local Testing [ 10200 ] | Reopen in Local [ 10018 ] |
| Status | Reopen in Local [ 10018 ] | In Development [ 10007 ] |
| Status | In Development [ 10007 ] | Local Testing [ 10200 ] |
| Status | Local Testing [ 10200 ] | Pending for Stage Approval [ 10300 ] |
| Status | Pending for Stage Approval [ 10300 ] | Approved for Stage [ 10030 ] |
Checked into Stage
| Status | Approved for Stage [ 10030 ] | Stage Testing [ 10201 ] |
| Item State | Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) | Parent values: Stage QA(10202) |
Please assign this ticket to someone
| Assignee | Venkatesh Pujari [ venkatesh.pujari ] | Deepali Tidke [ deepalit ] |
kindly check this and discuss once with Venkatesh before starting it.
| Assignee | Deepali Tidke [ deepalit ] | Dhanashree Sherkar [ dhanashree.sherkar ] |
Verified on stage.
Company name:- 1.OCSD for hspl
2.City of Durham For HSPL
Log in:-1.Partner
2.Admin
On security page system displayed check box for 'To Display Password on Add Employee.'
Admin/partner can check or uncheck check box for password.
refer attached screenshot.
On Add employee page system not displayed employee credential for uncheck.
Employee credential pop up displayed when check box is selected.
Refer attached screenshot.
above scenarios tested for benadmin & Recruit module.
For SEO testing is in progress.
Dhanashree Sherkar (Inactive)
added a comment - Verified on stage.
Company name:- 1.OCSD for hspl
2.City of Durham For HSPL
Log in:-1.Partner
2.Admin
On security page system displayed check box for 'To Display Password on Add Employee.'
Admin/partner can check or uncheck check box for password.
refer attached screenshot.
On Add employee page system not displayed employee credential for uncheck.
Employee credential pop up displayed when check box is selected.
Refer attached screenshot.
above scenarios tested for benadmin & Recruit module.
For SEO testing is in progress.
Dhanashree Sherkar (Inactive)
made changes -
| Attachment | Disply password flag settings.png [ 16421 ] |
Dhanashree Sherkar (Inactive)
made changes -
| Attachment | Employee credencials.png [ 16422 ] |
Dhanashree Sherkar (Inactive)
made changes -
| Attachment | Password credencial for SEO Module.png [ 16423 ] |
Dhanashree Sherkar (Inactive)
made changes -
| Attachment | Admin login.png [ 16424 ] |
Foe SEO also it is checked. ready for production.
| Item State | Parent values: Stage QA(10202) | Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217) |
| Item State | Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217) | Parent values: Production QA(10203) |
| Status | Stage Testing [ 10201 ] | Pending for Production Approval [ 10301 ] |
| Status | Pending for Production Approval [ 10301 ] | Approved for production [ 10034 ] |
| Status | Approved for production [ 10034 ] | Production Testing [ 10202 ] |
kindly check this on production
| Assignee | Dhanashree Sherkar [ dhanashree.sherkar ] | Kunal Kedari [ kunal.kedari ] |
We have verified the enhancement on Production for BenAdmin & Recruit module, working as expected.
Kunal Kedari (Inactive)
added a comment - We have verified the enhancement on Production for BenAdmin & Recruit module, working as expected. Kunal Kedari (Inactive)
made changes -
| Resolution | Done [ 10000 ] | |
| Status | Production Testing [ 10202 ] | Production Complete [ 10028 ] |
Kunal Kedari (Inactive)
made changes -
| Item State | Parent values: Production QA(10203) | Parent values: Production Complete(10222) |
Kunal Kedari (Inactive)
made changes -
| Assignee | Kunal Kedari [ kunal.kedari ] | Jennifer Leugers [ jennifer.leugers ] |
| Resolution | Done [ 10000 ] | Fixed [ 1 ] |
| Status | Production Complete [ 10028 ] | Closed [ 6 ] |
This fix has been done as part of Security testing points reported from Praetorian.
| Transition | Time In Source Status | Execution Times |
|---|
|
23s | 1 |
|
4s | 1 |
|
21h 7m | 1 |
|
8d 5h 40m | 2 |
|
1h 7m | 2 |
|
20d 22h 22m | 3 |
|
3s | 1 |
|
1m 16s | 1 |
|
3d 19h 47m | 1 |
|
14d 23h 46m | 1 |
|
2s | 1 |
|
3s | 1 |
Kunal Kedari (Inactive)
made transition
-
|
1d 3h 4m | 1 |
|
54m 18s | 1 |
Due to other priority tasks, keeping this in Backlog.