Basically, we never looked at this as a security issue. Since SysAid usually runs on a server, the serverConf.xml file should not be accessible for domain users to see (limited by NTFS permissions).
The password showing on the configuration file was more of a cosmetic issue.
I hate to dig up an old ticket but the responses to peoples questions in this thread are inadequate.
We are being told to use a service account with read-only privileges, however for password services you ask that we use a domain administrator account. what is the correct answer? Domain admin or read-only user?
So did you ever notify your customers or do they only find out when they stumble across this post? Storing any password in plaintext is poor security and if you didn’t think this was an issue or worth notifying your clients about then what other “non-issues” are lurking out there for us to find?