Bugs item #1518359, was opened at 2006-07-06 12:47
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=108956&aid=1518359&group_id=8956
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: User
Group: v1.8
Status: Open
Resolution: None
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Nobody/Anonymous (nobody)
Summary: Query String Password Vulnerability
Initial Comment:
phpESP allows usernames and passwords for surveys
protected by form-based authentication to be passed via
the URL query string. While this in it of itself is not
a bug, a problem arises if the survey contains HTML
links to other websites.
Assume a user accesses an authenticated survey with the
URL:
http://mywebsite/phpESP/public/survey.php?name=survey&username=foo&password=bar.
If this survey has a hyperlink (perhaps as part of one
of the questions) to http://someothersite/ (via the
<A>...</A> tag) and the user follows this link, most
web browsers will send the following Referer HTTP
header in the request to someothersite:
Referer:
http://mywebsite/phpESP/public/survey.php?name=survey&username=foo&password=bar
As a result, the user's username and password
combination is exposed to someothersite.
Fix: Whenever phpESP encounters a username and password
in the query string it should store these values in
$_SESSION (which I believe it already does), redirect
to the same URL with the username and password
parameters removed, and authenticate the user via the
PHPSESSID cookie instead.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=108956&aid=1518359&group_id=8956
|
