How to see the SADMIN / SIEBEL password un-encrypted!

Today i have seen a very strange data in Siebel database that actually shouldn't be there just as a un-encrypted free text. I think people from Siebel Admin would know that which table i am talking about.


Usually all user details in Siebel database are kept in S_USER table and passwords are never stored in Siebel Database. Whenever there is a need to store the password either the value is masked or is stored in database after encryption.

Even in siebns.dat file the password is not stored. All the name subsystems in server manager and on UI use masking to show password. But at one place, as I know the password is kept as clear string. This happens on the Server Manager Job Parameter table i.e. S_SRM_REQ_PARAM table.

I don’t know what was the reason the data on this table was kept unencrypted. If you want to get the password you just need to query the VALUE column of the parameter table and you will find the password in next row where SADMIN or SIEBEL user name is stored.


select VALUE from SIEBEL.S_SRM_REQ_PARAM

This happens because to run certain jobs like Generate Triggers database user and password are required as arguments but due to some limitation of the jobs this data is not encrypted. So if your server administrator use SADMIN as the password for generate trigger command you can see the SADMIN password by querying the database.

Gud luck :)
Category: ,

Comments (8)

Loading... Logging you in...
Dashboard | Edit profile | Logout
  • Logged in as
+3 Vote up Vote down
Gaurav's avatar

Gaurav · 805 weeks ago

This is good one Tejeshwar !!

very nice to see this hacking trick !!
1 reply · active less than 1 minute ago
Loading...
+3 Vote up Vote down
Tejeshwer's avatar - Go to profile

Tejeshwer 34p · 805 weeks ago

Thnx!

But keep the table cleanup component in mind, this component clears the completed jobs from the table.
+2 Vote up Vote down
Geeksajan's avatar

Geeksajan · 800 weeks ago

This is a good technique("S_SRM_REQ_PARAM" watch)

But a more reliable way is using a Runtime Business Service.
Check out this:
http://geeksajan.blogspot.com/2009/10/runtime-mag...

--- geeksajan
1 reply · active 800 weeks ago
Loading...
+3 Vote up Vote down
Tejeshwer's avatar - Go to profile

Tejeshwer 34p · 800 weeks ago

geeksajan, please explain your logic behind the service that you have posted !
+2 Vote up Vote down
nirav's avatar

nirav · 778 weeks ago

Dear Tejeshwa,

Can you suggest the solution for this one, how to encrypt password in this table, as this is critical security issue in our oraganisation, please help us.

thanks
1 reply · active less than 1 minute ago
+2 Vote up Vote down
Bhupesh's avatar

Bhupesh · 751 weeks ago

As per Siebel Vanilla Funcnality, SRM Table will store the password whenever you execute any job having siebel/sadmin passwords.

Best you can do is that you can clear the SRM table once your job is complete by executing the DELETE command for your record.
+1 Vote up Vote down
nss's avatar

nss · 705 weeks ago

while creating the job you can set the Delete Unit to say.. 10 seconds.. and after the job is completed it will clear out of SRM table with in 10 seconds..
+1 Vote up Vote down
wagfeliz's avatar

wagfeliz · 478 weeks ago

The siebel database should not be accessible to other users even for read anyways, so if your company works right its not an security issue.

Post a new comment

Comments by

Subscribe to: Post Comments ( Atom )

Other Siebel Blogs

siebel-admin-l @ IT - toolbox

siebel-dev-l @ IT - toolbox