• Article Type: General
• Product: Aleph
• Product Version: 18.01

Description:
Our users have been sending a URL such as: http://il-aleph07.corp.exlibrisgroup.com:8993/F?func=bor-info to our www_server, which prompts them for a username/password, and then takes them to the My Library Card screen where they can renew their items on loan.

The unencrypted password is exposed in two places in this scenario: the URL in which they enter the password (as seen in the www_server log) and in the apache log.

Resolution:
We suggested that they have the users follow the "normal" path: connect to OPAC, log-in, and do My Library Card.

The site "removed the direct link to Loans and now require users to go through the normal Catalog login, then My Library Card, etc.. Passwords no longer appear on the URL. The problem with passwords appearing in the apache log file was a direct result of that URL, so both problems have now been resolved."

• Article last edited: 10/8/2013