Details
-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 1.7.10
-
Fix Version/s: 1.7.11
-
Component/s: None
-
Labels:None
-
Rank:0|i003zj:
-
Affects Database/s:All databases
-
Affects Web Browser/s:All Web Browsers
Description
In the QT_PDO_QUERY_MASTER table, the full request XML message is stored in the REQUEST_XML column. This includes the message header, which means we could store passwords. This would only be a problem if sites have configured their system to display passwords instead of session keys (tokens).
The QT_QUERY_MASTER table has a similar column that is also called REQUEST_XML. The <query_definition> is the only section of the request message that is stored in the REQUEST_XML Column.
In the QT_PDO_QUERY_MASTER table a modified version of the Request message should be stored the same as we do in the QT_QUERY_MASTER table. By not storing the <message_header> we do not run the risk of storing and potentially exposing passwords.
The QT_QUERY_MASTER table has a similar column that is also called REQUEST_XML. The <query_definition> is the only section of the request message that is stored in the REQUEST_XML Column.
In the QT_PDO_QUERY_MASTER table a modified version of the Request message should be stored the same as we do in the QT_QUERY_MASTER table. By not storing the <message_header> we do not run the risk of storing and potentially exposing passwords.