On 6/6/06, Jörn Nettingsmeier <[EMAIL PROTECTED]> wrote:
Bob Harner wrote:
> On 6/4/06, Joern Nettingsmeier <[EMAIL PROTECTED]> wrote:
>> hi everybody!
>>
>>
>> i've come across two security issues wrt. admin.changePassword while
>> digging around:
>>
>> (1) the password dialog is submitted via GET. this will expose the
>> password to somebody watching the browser's address bar. the attached
>> patch changes the method to POST. you can argue that security is
>> currently not implemented anyway, since we are sending clear-text
>> around. granted. but: we are using <input type="password"/> fields, so
>> the goal seems to be: hide the password from people watching the screen.
>> which implies that the values should be POSTed.
>
> See http://issues.apache.org/bugzilla/show_bug.cgi?id=38383 which
> contains a fix for (I think) the same kind of problem that existed on
> the login page.
ah, cool. out of curiosity: why did you do this:
<form method="post" action="?lenya.usecase=login&lenya.step=login">
i.e. propagate some parameters via GET? i thought all of cocoon's
getParameter() magic was transparent wrt the method?
It has to be mixed like this because the usecase matching in the
pipeline only looks at GET parameters.
Details: http://article.gmane.org/gmane.comp.cms.lenya.user/9287
regards,
jörn
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
