Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.7.10
-
None
-
None
-
All databases
-
All Web Browsers
Description
In the QT_PDO_QUERY_MASTER table, the full request XML message is stored in the REQUEST_XML column. This includes the message header, which means we could store passwords. This would only be a problem if sites have configured their system to display passwords instead of session keys (tokens).
The QT_QUERY_MASTER table has a similar column that is also called REQUEST_XML. The <query_definition> is the only section of the request message that is stored in the REQUEST_XML Column.
In the QT_PDO_QUERY_MASTER table a modified version of the Request message should be stored the same as we do in the QT_QUERY_MASTER table. By not storing the <message_header> we do not run the risk of storing and potentially exposing passwords.
The QT_QUERY_MASTER table has a similar column that is also called REQUEST_XML. The <query_definition> is the only section of the request message that is stored in the REQUEST_XML Column.
In the QT_PDO_QUERY_MASTER table a modified version of the Request message should be stored the same as we do in the QT_QUERY_MASTER table. By not storing the <message_header> we do not run the risk of storing and potentially exposing passwords.