Menu
▾
▴
[phpesp-dev] [ phpesp-Bugs-1518359 ] Query String Password Vulnerability
|
From: SourceForge.net <no...@so...> - 2006-07-06 19:47:34
|
Bugs item #1518359, was opened at 2006-07-06 12:47 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=108956&aid=1518359&group_id=8956 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: User Group: v1.8 Status: Open Resolution: None Priority: 5 Submitted By: Nobody/Anonymous (nobody) Assigned to: Nobody/Anonymous (nobody) Summary: Query String Password Vulnerability Initial Comment: phpESP allows usernames and passwords for surveys protected by form-based authentication to be passed via the URL query string. While this in it of itself is not a bug, a problem arises if the survey contains HTML links to other websites. Assume a user accesses an authenticated survey with the URL: http://mywebsite/phpESP/public/survey.php?name=survey&username=foo&password=bar. If this survey has a hyperlink (perhaps as part of one of the questions) to http://someothersite/ (via the <A>...</A> tag) and the user follows this link, most web browsers will send the following Referer HTTP header in the request to someothersite: Referer: http://mywebsite/phpESP/public/survey.php?name=survey&username=foo&password=bar As a result, the user's username and password combination is exposed to someothersite. Fix: Whenever phpESP encounters a username and password in the query string it should store these values in $_SESSION (which I believe it already does), redirect to the same URL with the username and password parameters removed, and authenticate the user via the PHPSESSID cookie instead. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=108956&aid=1518359&group_id=8956 |
