SOI User names and passwords are shown in the source code

Document ID : KB000111004
Last Modified Date : 14/08/2018
Show Technical Document Details
Question:
Is it a security risk that SOI has usernames and encrypted passwords in configuration files ?
Environment:
SOI 4.0
SOI 4.2
Answer:
SOI UI and Manager are admin portals. SOI application connects to various connectors such as databases, smtp, etc. These user configuration details such as hostname,username,password,port are entered by the administrator. When the administrator revisits the configuration pages, he sees the password value in encrypted form and not in clear text.
(input type="hidden" size="30" name="smtpPassword_value" value="EIBxlDsGeasfM1IL15ipNity4MXh19HPi4eJgmH6TQ5W")
1. Only SOI Application can decrypt the encrypted value
2. Only Administrator have access to Configuration Pages
3. The Configuration details are added in administrator pages only by the admin
4. Even when attacker gains admin credentials through various means, he can only see the password in encrypted form and cannot decrypt the password.