Today a new software release has been published. An important new
feature was added to allow specifying in more detail what a data field
exactly is.
Before this release a modeled password was hidden only at an obvious place, but leaked at a place were it was not addressed that explicitely.
To be precise, the non obvious parts in the application were reports and lookup controls that link to the entities containing that security related field.
Example:
In this release the intention to hide security related stuff was fixed. Also similar issues will be addressable.
Download products Distributed Multiplatform Framework and CAB DevExpress Codegenerator Compilation. Other products do operate locally by using Sqlite and are thus not critical and will be addressed later.
If users have created the StsManagement software using it productive, have to update the code by regenerating it. As a reference the above picture shows the SecurityUsers_ApprovedAudiences entity
in detail view linking to SecurityUsers. Switch to Designable forms
using Settings/ViewDesignableForm and check the dropdown field
SecurityUsers in SecurityUsers_ApprovedAudiences. The passwort
field should disappear. Also try to design a report for SecurityUsers.
It should now be impossible to leak the password.
Note: The password is a salted value that then gets hashed. So it was at no time possible to extract the clear text version of the password.
Visit the products page for more details: http://www.lollisoft.de/products.html
Lollisoft Software Development creates software that help developers in the requirements analysis stage and later in the development of database related software.
Using UML and code generation techniques, developers can reduce time to market and also reduce errors in code compared to manual software development.
Before this release a modeled password was hidden only at an obvious place, but leaked at a place were it was not addressed that explicitely.
To be precise, the non obvious parts in the application were reports and lookup controls that link to the entities containing that security related field.
Example:
In this release the intention to hide security related stuff was fixed. Also similar issues will be addressable.
Download products Distributed Multiplatform Framework and CAB DevExpress Codegenerator Compilation. Other products do operate locally by using Sqlite and are thus not critical and will be addressed later.
If users have created the StsManagement software using it productive, have to update the code by regenerating it. As a reference the above picture shows the SecurityUsers_
Note: The password is a salted value that then gets hashed. So it was at no time possible to extract the clear text version of the password.
Visit the products page for more details: http://www.lollisoft.de/
Lollisoft Software Development creates software that help developers in the requirements analysis stage and later in the development of database related software.
Using UML and code generation techniques, developers can reduce time to market and also reduce errors in code compared to manual software development.