Yesterday my skypemate found below CS behaviour extremely weird and asked to publish it:

API> retrieve,c,dm_user where user_source='inline password'
API> get,c,l,user_password
API> ?,c,select user_password from dm_user where r_object_id='11024be980000159' 
(1 row affected)

API> ?,c,select * from (select user_password from dm_user where r_object_id='11024be980000159')
(1 row affected)

3 thoughts on “:)

  1. So, it is very easy to read the actual user_password property. The hard task is to decrypt it. Anyway, it would have been better to store the password hash than encrypted string. This is not just a way to discover a Documentum inline password but it could be more interesting: a 2013 study reported that over half of UK adults use the always same password to access different internet sites, so it could be an easy way for a Documentum system administrator to get an inline password and to try to use it in public web sites.

    Having said that, I am supposing that the EMC password encryption strategy is enough strong and that it is very difficult to decrypt it.


  2. Pingback: Eradication of Illiteracy | Documentum in a (nuts)HELL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s