Security like it's 1995
Written 06 Sep 2005
At work we are migrating our main ERP (Enterprise Resource Planning) software to the next major version released by our vendor. This new version uses the web browser for the client interface, rather than distributing a proprietary client. There are problems however:
- VBScript The use of this client-side scripting language forces Internet Explorer as the only usable browser (goodbye Opera, Firefox, Safari or any other browser).
- Java This doesn't seem bad until you realize it requires an ancient (1.3.x) version of the plugin.
- ActiveX Some actions (such as viewing the print jobs in your print queue) require interfacing directly with the system, an iSeries. Since we don't deploy a fat client, instead we deploy an ActiveX 5250 control. It needs to be installed for each user of each computer. And we are having extreme difficulties initiating the installation.
- Amatuer Coders While trying to streamline the distribution and installation of the above ActiveX control I viewed the source of the web page that is supposed to initiate the installation. Was I ever surprised to find, in plain text, my system username and password in the source. Who thought that was an acceptible solution?!?