Update HTTPPassword item in names.nsf (backend)

Yesterday, we ran into an issue with the HTTP Password in the person record in names.nsf.

The problem occured after we upgraded the customers Domino server from V 9.0.1 to V11.0.1FP1.

The customer has some backend processes installed that let them delegate the process of register, update and delete users and groups to different departments. One part of the process is a piece of code that sets the HTTP password in the person record.

The issue was that the password was stored in clear text after upgrading the server. I looked into the design and could spot the root of the issue.

In pubnames_9.ntf, the HTTPPassword item has an input translation formula that encodes the password.

In V11 of the pubnames.ntf, the HTTPPassword item is missing and so is the input translation formula. The password encoding has been moved to the “Enter Password” button.

As a condequence, if you set the password in a backend agent, the String is not encoded and visible in clear text to others.

The fix is simple. We changed our agent code from

...
doc.HTTPPassword = pwdDoc.getItemValue("pwd").text
...

to

...
Dim result As Variant
result = Evaluate(|@Password("|+ pwddoc.getItemValue("pwd").text + |")|)
doc.HTTPPassword.result(0)
...
call doc.save(true, false)

to encode the password. This tipp might be useful, if you have similar processes implemented.

I have not looked into the design of Domino 10. But chances are that HCL has changed the design also in this release.


Für Ein Stück Schokolade

[via Axel Janssen]

Mit der Sicherheit von Firmendaten und -netzwerken ist es ein Gräuel. Alles muss immer furchtbar sicher sein. Der Admin bekommt bereits Ausschlag, wenn jemand seinen privaten USB-Stick mitbringt und in so manchem Großkonzern dürfen die Mitarbeiter nicht einmal ein Foto-Handy dabei haben. Wozu der ganze Aufwand? Absolut unnötig, reine Zeit- und Geldverschwendung. Wenn man ehrlich ist, dann muss man das Absichern von Firmennetzen gar als Arbeitsbeschaffungsmaßnahme abtun.

mehr dazu gibt es hier zu lesen.