Menu
▾
▴
[Monarch-users] authentication issues with monarch 1.0 and security concerns ...
|
From: Lidio P. <li...@ic...> - 2006-07-11 16:13:05
|
Greetings, I just upgraded from version 0.97a to 1.0, aside from several problems with the monarch-upgrade.pl script I have found an authentication issue. The new version does not like passwords that look like "foo+bar" -- i.e. have a plus character in them. The previous version did not have this issue. Using Firefox Live HTTP Headers I am seeing the following: POST /cgi-bin/monarch.cgi user_acct=super_user&password=foo%2Bbar GET /cgi-bin/monarch.cgi?update_left=1&user_acct=super_user&top_menu=hosts&user_acct=super_user&password=foo+bar GET /cgi-bin/monarch.cgi?update_main=1&user_acct=super_user&top_menu=hosts&user_acct=super_user&password=foo+bar the POST is ok, I get authenticated and the screen changes to the monarch menu layout but it immediately throws me out to the login screen. No wonder, it is not escaping the plus character in the Password. Changing the password without a plus character works just fine. That can be a work around. However, unlike the previous version, a greater concern is that the Password is part of the GET which gets logged in the Apache log file in the clear. This is very poor security. I haven't traced out why the password field is being propagated in the GETs. Lidio. |
