tamu secreto Posted October 25, 2009 Share Posted October 25, 2009 Password type input with autocomplete Vulnerability descriptionWhen a new name and password is entered in a form and the form is submitted, the browser asks if the password should be saved. Thereafter when the form is displayed, the name and password are filled in automatically or are completed as the name is entered. An attacker with local access could obtain the cleartext password from the browser cache.authentication.php authentication.php (GET back=addresses.php) authentication.php (GET back=discount.php) authentication.php (GET back=history.php) authentication.php (GET back=identity.php) authentication.php (GET back=my-account.php&id_lang=2) authentication.php (GET back=my-account.php) authentication.php (GET back=my-account.php; POST id_currency=&SubmitCurrency;=) authentication.php (GET back=order.php?step=1&id_lang=2) authentication.php (GET back=order.php?step=1) authentication.php (GET back=order.php?step=1; POST id_currency=&SubmitCurrency;=) authentication.php (GET id_lang=2) authentication.php (POST email_create=&back=my-account.php&SubmitCreate=Create your account&SubmitCreate=Create your account) authentication.php (POST email_create=&back=order.php?step=1&SubmitCreate=Create your account&SubmitCreate=Create your account) authentication.php (POST email_create=&SubmitCreate=Create your account&SubmitCreate=Create your account) authentication.php (POST [email protected]&passwd;=&back=my-account.php&SubmitLogin=Log in) authentication.php (POST [email protected]&passwd;=&back=order.php?step=1&SubmitLogin=Log in) authentication.php (POST [email protected]&passwd;=&SubmitLogin=Log in) authentication.php (POST id_currency=&SubmitCurrency;=) The impact of this vulnerability Possible sensitive information disclosureHow to fix this vulnerabilityThe password autocomplete should be disabled in sensitive applications. To disable autocomplete, you may use a code similar to: <INPUT TYPE="password" AUTOCOMPLETE="off">salute :smirk: Link to comment Share on other sites More sharing options...
Recommended Posts