Bob Harner wrote:
On 6/4/06, Joern Nettingsmeier <[EMAIL PROTECTED]> wrote:
hi everybody!
i've come across two security issues wrt. admin.changePassword while
digging around:
(1) the password dialog is submitted via GET. this will expose the
password to somebody watching the browser's address bar. the attached
patch changes the method to POST. you can argue that security is
currently not implemented anyway, since we are sending clear-text
around. granted. but: we are using <input type="password"/> fields, so
the goal seems to be: hide the password from people watching the screen.
which implies that the values should be POSTed.
See http://issues.apache.org/bugzilla/show_bug.cgi?id=38383 which
contains a fix for (I think) the same kind of problem that existed on
the login page.
ah, cool. out of curiosity: why did you do this:
<form method="post" action="?lenya.usecase=login&lenya.step=login">
i.e. propagate some parameters via GET? i thought all of cocoon's
getParameter() magic was transparent wrt the method?
regards,
jörn
--
"Open source takes the bullshit out of software."
- Charles Ferguson on TechnologyReview.com
--
Jörn Nettingsmeier, EDV-Administrator
Institut für Politikwissenschaft
Universität Duisburg-Essen, Standort Duisburg
Mail: [EMAIL PROTECTED], Telefon: 0203/379-2736
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
