headers
Jordi Rovira | 11 Jun 2012 18:07

Minor security bug in login

Hello,


  First, a small context introduction: I am developing my company websire website using Wt, and enjoying it very much so far. Thanks for making this framework open.

  Now, to the issue: There is a small security problem that may end up showing user's passwords on screen if the user is not careful. I have found it on my site, based on the last stable release, but also in your site's Blog. The steps to reproduce it are simple:

  - Go to blog website: http://www.webtoolkit.eu/wt/blog
  - Type a valid (existing) user name in the login box.
  - Don't type anything in the password box, and click the Login button.
  - The system nicely complains about the password, putting its entry in red.
  - However if you click on it and type your password now, it will be visible (as if the password entry field is no longer type="password").

  Not really a big security problem, but it would be good to fix it...

Regards,

Jordi

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
witty-interest mailing list
witty-interest@...
https://lists.sourceforge.net/lists/listinfo/witty-interest
Permalink | Reply |
headers
scorp1us | 12 Jun 2012 01:02
Picon
Favicon

Re: Minor security bug in login

heh, I'm trying to argue for soft-password boxes. Entering a during password on a mobile sucks. I'd consider this a feature. LOL.


With all the password breaches lately, it's clear that we have to move away from passwords entirely...

--

Sent from my Nokia N9


On 6/11/12 12:07 PM Jordi Rovira wrote:

Hello,

  First, a small context introduction: I am developing my company websire website using Wt, and enjoying it very much so far. Thanks for making this framework open.

  Now, to the issue: There is a small security problem that may end up showing user's passwords on screen if the user is not careful. I have found it on my site, based on the last stable release, but also in your site's Blog. The steps to reproduce it are simple:

  - Go to blog website: http://www.webtoolkit.eu/wt/blog
  - Type a valid (existing) user name in the login box.
  - Don't type anything in the password box, and click the Login button.
  - The system nicely complains about the password, putting its entry in red.
  - However if you click on it and type your password now, it will be visible (as if the password entry field is no longer type="password").

  Not really a big security problem, but it would be good to fix it...

Regards,

Jordi


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
witty-interest mailing list
witty-interest@...
https://lists.sourceforge.net/lists/listinfo/witty-interest
Permalink | Reply |
headers
Wim Dumon | 12 Jun 2012 14:15
Picon
Favicon

Re: Minor security bug in login

Hello Jordi,

That's a problem indeed. It is caused by a mix of server-side and
client-side manipulations of stylesheet classes. I made it consistent;
fix will appear in git soon.

Best regards,
Wim.

2012/6/11 Jordi Rovira <jordi@...>:
> Hello,
>
>   First, a small context introduction: I am developing my company websire
> website using Wt, and enjoying it very much so far. Thanks for making this
> framework open.
>
>   Now, to the issue: There is a small security problem that may end up
> showing user's passwords on screen if the user is not careful. I have found
> it on my site, based on the last stable release, but also in your site's
> Blog. The steps to reproduce it are simple:
>
>   - Go to blog website: http://www.webtoolkit.eu/wt/blog
>   - Type a valid (existing) user name in the login box.
>   - Don't type anything in the password box, and click the Login button.
>   - The system nicely complains about the password, putting its entry in
> red.
>   - However if you click on it and type your password now, it will be
> visible (as if the password entry field is no longer type="password").
>
>   Not really a big security problem, but it would be good to fix it...
>
> Regards,
>
> Jordi
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> witty-interest mailing list
> witty-interest@...
> https://lists.sourceforge.net/lists/listinfo/witty-interest
>

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Permalink | Reply |

Gmane