Problem Note 63029: The url_list.txt file in the Search Interface for SAS® Content configuration directory contains an encoded password
 |  |  |  |  |
Severity: High
CVSS Score: High
Description: The url_list.txt file in the Search Interface for SAS Content configuration directory contains the encoded password for the internal account (by default, sassearch@saspw) that is used to provide content to SAS Information Retrieval Studio for indexing. The configuration directory is available in SAS-configuration-directory/lev-N/Web/Applications/SearchInterfacetoSASContent.
Potential Impact: An attacker who gains access to the file system might obtain credentials from the url_list.txt file, decode the password, and then use those credentials to gain access to applications and data that they should not have.
Click the Hot Fix tab in this note to access the hot fix for this issue.
For releases 3.1, 3.2, and 3.3, you must apply the hot fix for this issue to enable an alternate mechanism for providing content to SAS Information Retrieval Studio. After applying the hot fix, you can remove the URL from url_list.txt. You should also run the unschedule script that is located in the same directory to remove scheduling for the existing indexing job.
For releases 3.4, 3.5, and 3.6, an alternate mechanism for providing content to SAS Information Retrieval Studio already exists, so no hot fix is required. You can simply remove the URL from the url_list.txt file.
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | Search Interface to SAS Content | Linux for x64 | 3.1 | 3.7 | 9.4 TS1M0 | 9.4 TS1M6 |
| Microsoft® Windows® for x64 | 3.1 | 3.7 | 9.4 TS1M0 | 9.4 TS1M6 | ||