Luc H created AMBARI-25588:
------------------------------
Summary: Use basic authentication over HTTP
Key: AMBARI-25588
URL: https://issues.apache.org/jira/browse/AMBARI-25588
Project: Ambari
Issue Type: Bug
Components: test
Affects Versions: trnk
Reporter: Luc H
Sensitive information like username and password shall not be sent over the
cleartext HTTP channel. Basic authentication only obfuscates username/password
in Base64 encoding, which can be easily recognized and reversed.
The class
{{ambari-funtest/src/test/java/org/apache/ambari/funtest/server/AmbariHttpWebRequest.java}}
sends username and password in basic authentication over an HTTP connection.
Sending username and password using the HTTP protocol violates CWE-522
"Insufficiently Protected Credentials".
Although the vulnerable class is in the {{ambari-funtest}} package, as Ambari
is a popular repository of Apache that is watched and used by many users and
organizations, whose code could be extended and customized, the issue shall be
resolved in my opinion.
Relevant PR is [#3210](https://github.com/apache/ambari/pull/3210).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
