• Article Type: General
• Product: Aleph
• Product Version: 18.01

Description:
Problem:

For some X services such as BOR-AUTH it is mandatory to enter the user password and verification.
But, the verification also appears in the www log file.
This of course is a security problem. The verification should not appear in the log file.

Example:

If I do this:

http://il-aleph07:8993/X?op=bor-auth&library=usm50&bor_id=313972002

Then I get an error message: "Both Bor_Id and Verification must be supplied"


If I do this then it works:

http://il-aleph07:8993/X?op=bor-auth&library=usm50&bor_id=313972002&verification=313972002

But the log file stores the verification and this is considered a security breach.

2010-03-17 12:43:42 74 [000] [vrb] server_main: OUT 0.0382 435
2010-03-17 12:44:00 17 [000] [vrb] IN 20100317 124400
ip address: 10.1.234.8 587
request: "/X?op=bor-auth&library=usm50&bor_id=313972002&verification=313972002"
X SERVICE: BOR-AUTH

Do not want verification stored in the www_server log file.

Resolution:
Fixed in v.20 by rpc #3339

• Article last edited: 10/8/2013