You are here: Foswiki>Tasks Web>Item12589 (19 Nov 2013, GeorgeClark)Edit Attach

Item12589: Login information (username or Password) left in Query or Cookie Data

pencil
Priority: Urgent
Current State: Closed
Released In: 1.1.9
Target Release: patch
Applies To: Engine
Component: LoginManager
Branches: Release01x01 trunk
Reported By: JoeMarandola
Waiting For:
Last Change By: GeorgeClark
-- JoeMarandola - 30 Sep 2013

We have a large Foswiki system in our government working site that was developed since 2009. Recently government inspectors began WebInspect Scans to make sure everything is fine. They wrote up these comments below. I just started trying to understand the problem before responding but I figure that those more adept to our Foswiki will have some comments (such as "do we really have a problem or not"). I believe one of our developers wrote the last sentence. Note that there are no auto-logins, we set up login information of all approved people.

***********************
Resolve issues from WebInspect scan.

A username was found in the query string of a GET request or Set-Cookie header.

Leaving login information in a query string or cookie values makes it easy for an attacker to see and tamper with login values. Have a developer or security administrator examine this issue. Recommendations include ensuring that login information is sent with a POST request over an encrypted connection and that sensitive account information is kept on the server.

Problem appears with the FOSWiki software. Wiki accepts Username and Password as URL arguments. This should be disabled.
********************


This is actually a feature. We can't outright disable it, as it's currently used by the Extensions installer to allow configure to get extensions from a password protected repository.

In 1.1.9, it will be made configurable, the development work has already been done.

-- GeorgeClark - 01 Oct 2013

That is good news and that will help us. Do we have any idea on when 1.1.9 will be released? Thanks.

-- JoeMarandola - 07 Oct 2013
 

ItemTemplate edit

Summary Login information (username or Password) left in Query or Cookie Data
ReportedBy JoeMarandola
Codebase 1.1.8, 1.1.7, 1.1.6, 1.1.6 dev, 1.1.5, 1.1.5 RC2, 1.1.5 RC1, 1.1.4, 1.1.4 RC2, 1.1.4 RC1, 1.1.4 beta2, 1.1.4 beta1, 1.1.3, 1.1.3 RC1, 1.1.3 beta1, 1.1.2, 1.1.1, 1.1.0, 1.1.0 beta1, 1.0.10, 1.0.9, 1.0.8, 1.0.7, 1.0.6, 1.0.5, 1.0.5 beta1, 1.0.4, 1.0.3, 1.0.2, 1.0.1, 1.0.0, 1.0.0 beta3, 1.0.0 beta2, 1.0.0 beta1, trunk
SVN Range
AppliesTo Engine
Component LoginManager
Priority Urgent
CurrentState Closed
WaitingFor
Checkins distro:f81dce7dd05a distro:cb779659d229
TargetRelease patch
ReleasedIn 1.1.9
CheckinsOnBranches Release01x01 trunk
trunkCheckins distro:cb779659d229
Release01x01Checkins distro:f81dce7dd05a
Topic revision: r8 - 19 Nov 2013, GeorgeClark - This page was cached on 25 Jul 2016 - 04:24.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License