[Kolab-devel] [issue4430] "Modify User" reply page contains user password in plain text
Thomas Arendsen Hein
issues at kolab.org
Tue Jun 29 16:40:06 CEST 2010
New submission from Thomas Arendsen Hein <thomas at intevation.de>:
Kolab Server 2.2.4 (and probably all previous versions):
When changing the password via the "Modify User" page (Users tab for
manager/admin/maintainer/dm as well as My User Settings tab for normal users),
the entered values for password and verify password are included in plain text
in the returned page, e.g.:
<tr><td><label for="password_0">Password</label></td><td><input
name="password_0" id="password_0" type="password" value="SECRET" size="60"
/></td><td>Leave blank to keep password unchanged</td></tr>
<tr><td><label for="password_1">Verify Password</label></td><td><input
name="password_1" id="password_1" type="password" value="SECRET" size="60"
/></td><td>Leave blank to keep password unchanged</td></tr>
This is a security risk since the password might be retrieved by other people by
using the back button of a running browser or by getting access to the browser
cache stored on disk/backup.
----------
assignedto: cwickert
keyword: server, web admin
messages: 25551
nosy: cwickert, martin, thomas, wilde, wrobel
priority: urgent
status: unread
title: "Modify User" reply page contains user password in plain text
______________________________________
Kolab issue tracker <issues at kolab.org>
<https://issues.kolab.org/issue4430>
______________________________________
More information about the devel
mailing list