Yesterday, we ran into an issue with the HTTP Password in the person record in names.nsf.
The problem occured after we upgraded the customers Domino server from V 9.0.1 to V11.0.1FP1.
The customer has some backend processes installed that let them delegate the process of register, update and delete users and groups to different departments. One part of the process is a piece of code that sets the HTTP password in the person record.
The issue was that the password was stored in clear text after upgrading the server. I looked into the design and could spot the root of the issue.
In pubnames_9.ntf, the HTTPPassword item has an input translation formula that encodes the password.
In V11 of the pubnames.ntf, the HTTPPassword item is missing and so is the input translation formula. The password encoding has been moved to the “Enter Password” button.
As a condequence, if you set the password in a backend agent, the String is not encoded and visible in clear text to others.
The fix is simple. We changed our agent code from
... doc.HTTPPassword = pwdDoc.getItemValue("pwd").text ...
... Dim result As Variant result = Evaluate(|@Password("|+ pwddoc.getItemValue("pwd").text + |")|) doc.HTTPPassword.result(0) ... call doc.save(true, false)
to encode the password. This tipp might be useful, if you have similar processes implemented.
I have not looked into the design of Domino 10. But chances are that HCL has changed the design also in this release.