Today a new software release has been published. An important new feature was added to allow specifying in more detail what a data field exactly is.

Before this release a modeled password was hidden only at an obvious place, but leaked at a place were it was not addressed that explicitely.

To be precise, the non obvious parts in the application were reports and lookup controls that link to the entities containing that security related field.

Example:

In this release the intention to hide security related stuff was fixed. Also similar issues will be addressable.

Download products Distributed Multiplatform Framework and CAB DevExpress Codegenerator Compilation. Other products do operate locally by using Sqlite and are thus not critical and will be addressed later.

If users have created the StsManagement software using it productive, have to update the code by regenerating it. As a reference the above picture shows the SecurityUsers_
ApprovedAudiences entity in detail view linking to SecurityUsers. Switch to Designable forms using Settings/ViewDesignableForm and check the dropdown field SecurityUsers in SecurityUsers_ApprovedAudiences. The passwort field should disappear. Also try to design a report for SecurityUsers. It should now be impossible to leak the password.

Note: The password is a salted value that then gets hashed. So it was at no time possible to extract the clear text version of the password.

Visit the products page for more details: http://www.lollisoft.de/products.html

Lollisoft Software Development creates software that help developers in the requirements analysis stage and later in the development of database related software.

Using UML and code generation techniques, developers can reduce time to market and also reduce errors in code compared to manual software development.