Hello,I'm a new user of roller blogger. I'm not sure if the following case is true because of my misconfiguration or design flaw in roller.
While processing login form roller redirects user using get method with clear text login and password in url! The following is a capture from liveHttpHeaders firefox plugin:
1. login form submission POST /roller/auth/ [ login form data ] 2. here it goes: redirect with clear text sensitive data: HTTP/1.x 302 Moved TemporarilyLocation: http://server/roller/j_security_check?j_username=login&j_password=pass&j_uri=
3. the following is placed in webserver's logGET /roller/j_security_check?j_username=login&j_password=pass&j_uri= HTTP/1.1
4. HTTP/1.x 302 Moved Temporarily Location: http://server/roller/login-redirect.jsp 5. GET /roller/login-redirect.jsp HTTP/1.1 6. and finally we can blog HTTP/1.x 302 Moved TemporarilyLocation: http://server/roller/editor/weblog.do?method=create&rmk=tabbedmenu.weblog&rmik=tabbedmenu.weblog.newEntry
Of course passwords are stored in webserver's log too.Is it my misconfiguration? My setup is rather simple, I guess. Tomcat 5.5.x is running roller webapp on host A. Site is available via apache 2.0.54 on host B, which uses mod_rewrite to proxy requests to tomcat. They're both FreeBSD 5.4, Tomcat runs on JDK 1.4.2.
-- Mikolaj Rydzewski <[EMAIL PROTECTED]> http://ceti.pl/~miki/ PGP KeyID: 8b12ab02 There are three kinds of people: men, women and unix.
smime.p7s
Description: S/MIME Cryptographic Signature
