Re: Insecure login form redirections?

Jeffery Chilton Mon, 08 Aug 2005 15:38:57 -0700

It depends on the container ... in WebSphere, I had to make a slight
modification:

http://www.webspherepower.com/issues/issue200411/00001360001.html

Mikolaj Rydzewski
<[EMAIL PROTECTED]>
To:
08/08/2005 03:27 [email protected]
PM cc:

Subject:
Please respond to Insecure login form redirections?
[EMAIL PROTECTED]
ator.apache.org

Hello,

I'm a new user of roller blogger. I'm not sure if the following case is
true because of my misconfiguration or design flaw in roller.

While processing login form roller redirects user using get method with
clear text login and password in url! The following is a capture from
liveHttpHeaders firefox plugin:

1. login form submission
POST /roller/auth/
[ login form data ]

2. here it goes: redirect with clear text sensitive data:
HTTP/1.x 302 Moved Temporarily
Location:
http://server/roller/j_security_check?j_username=login&j_password=pass&j_uri=

3. the following is placed in webserver's log
GET /roller/j_security_check?j_username=login&j_password=pass&j_uri=
HTTP/1.1

4.
HTTP/1.x 302 Moved Temporarily
Location: http://server/roller/login-redirect.jsp

5.
GET /roller/login-redirect.jsp HTTP/1.1

6. and finally we can blog
HTTP/1.x 302 Moved Temporarily
Location:
http://server/roller/editor/weblog.do?method=create&rmk=tabbedmenu.weblog&rmik=tabbedmenu.weblog.newEntry

Of course passwords are stored in webserver's log too.

Is it my misconfiguration? My setup is rather simple, I guess. Tomcat
5.5.x is running roller webapp on host A. Site is available via apache
2.0.54 on host B, which uses mod_rewrite to proxy requests to tomcat.
They're both FreeBSD 5.4, Tomcat runs on JDK 1.4.2.

--
Mikolaj Rydzewski <[EMAIL PROTECTED]> http://ceti.pl/~miki/
PGP KeyID: 8b12ab02
There are three kinds of people: men, women and unix.

Re: Insecure login form redirections?

Reply via email to