tamu secreto Posted October 25, 2009 Share Posted October 25, 2009 Password type input with autocomplete Vulnerability descriptionWhen a new name and password is entered in a form and the form is submitted, the browser asks if the password should be saved. Thereafter when the form is displayed, the name and password are filled in automatically or are completed as the name is entered. An attacker with local access could obtain the cleartext password from the browser cache.authentication.php authentication.php (GET back=addresses.php) authentication.php (GET back=discount.php) authentication.php (GET back=history.php) authentication.php (GET back=identity.php) authentication.php (GET back=my-account.php&id_lang=2) authentication.php (GET back=my-account.php) authentication.php (GET back=my-account.php; POST id_currency=&SubmitCurrency;=) authentication.php (GET back=order.php?step=1&id_lang=2) authentication.php (GET back=order.php?step=1) authentication.php (GET back=order.php?step=1; POST id_currency=&SubmitCurrency;=) authentication.php (GET id_lang=2) authentication.php (POST email_create=&back=my-account.php&SubmitCreate=Create your account&SubmitCreate=Create your account) authentication.php (POST email_create=&back=order.php?step=1&SubmitCreate=Create your account&SubmitCreate=Create your account) authentication.php (POST email_create=&SubmitCreate=Create your account&SubmitCreate=Create your account) authentication.php (POST [email protected]&passwd;=&back=my-account.php&SubmitLogin=Log in) authentication.php (POST [email protected]&passwd;=&back=order.php?step=1&SubmitLogin=Log in) authentication.php (POST [email protected]&passwd;=&SubmitLogin=Log in) authentication.php (POST id_currency=&SubmitCurrency;=) The impact of this vulnerability Possible sensitive information disclosureHow to fix this vulnerabilityThe password autocomplete should be disabled in sensitive applications. To disable autocomplete, you may use a code similar to: <INPUT TYPE="password" AUTOCOMPLETE="off">salute :smirk: Link to comment Share on other sites More sharing options...
mir-aus Posted March 25, 2011 Share Posted March 25, 2011 If I want AUTOCOMPLETE=“off" in /authentication.php i need type code in .tpl or .php?and where should I type it? Link to comment Share on other sites More sharing options...
makaraci Posted March 26, 2011 Share Posted March 26, 2011 which files are affected from this vulnerability ?Which files should be edited by adding "<input type=“password’ name=”… autocomplete=“off” />" ?Thanks Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now