I have discovered that if you’re using a custom tool in The Dude it is possible to discover the password to any configured device in the dude in Plain Text and nearly anyone can do this regardless of their access level in The Dude.
I feel that this should be addressed immediately, as there is a big difference between someone having Right Click access via a tool and to be given the user’s login in clear text on an error.
Since there haven’t been any documented changes recently and despite version upgrades this still exists, I would like to see it addressed:
To create the issue:
Define your tool and it’s login per the documentation. For this example, winbox is located:
c:\tools\winbox.exe
If my employee on their workstation renames or moves the winbox executable, they have provided the password that was configured for the device in plain text when they get the error for the tool not being available. What can be done so that this isn’t possible? Ideally I’d like to have The Dude not display the error the way that it does and to keep the password invisible.
Thanks!
Paul