Priority: Urgent
Current State: Closed
Released In: 1.1.9
Target Release: patch
Applies To: Engine
Component: LoginManager
Branches: Release01x01 trunk
--
JoeMarandola - 30 Sep 2013
We have a large Foswiki system in our government working site that was developed since 2009. Recently government inspectors began
WebInspect Scans to make sure everything is fine. They wrote up these comments below. I just started trying to understand the problem before responding but I figure that those more adept to our Foswiki will have some comments (such as "do we really have a problem or not"). I believe one of our developers wrote the last sentence. Note that there are no auto-logins, we set up login information of all approved people.
***********************
Resolve issues from
WebInspect scan.
A username was found in the query string of a GET request or Set-Cookie header.
Leaving login information in a query string or cookie values makes it easy for an attacker to see and tamper with login values. Have a developer or security administrator examine this issue. Recommendations include ensuring that login information is sent with a POST request over an encrypted connection and that sensitive account information is kept on the server.
Problem appears with the FOSWiki software. Wiki accepts Username and Password as URL arguments. This should be disabled.
********************
This is actually a feature. We can't outright disable it, as it's currently used by the Extensions installer to allow configure to get extensions from a password protected repository.
In 1.1.9, it will be made configurable, the development work has already been done.
--
GeorgeClark - 01 Oct 2013
That is good news and that will help us. Do we have any idea on when 1.1.9 will be released? Thanks.
--
JoeMarandola - 07 Oct 2013