You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@lenya.apache.org by gkrishna <gk...@interchange.ubc.ca> on 2005/03/26 06:41:27 UTC

Lenya reveals password in the url

If the password authentication fails when a user is trying to change his password. it is revealed in the site url

http://localhost:8080/lenya/blog/admin/users/krishna.html?lenya.continuation=6e26642f5f75737c6749155d5437785d60253664&old-password=sample&new-password=sample18&confirm-password=sample2&submit=Submit


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org

Re: Lenya reveals password in the url

Posted by Michael Wechner <mi...@wyona.com>.

Andreas Hartmann wrote:

> Michael Wechner wrote:
>
>> gkrishna wrote:
>>
>>> If the password authentication fails when a user is trying to change 
>>> his password. it is revealed in the site url
>>>
>>> http://localhost:8080/lenya/blog/admin/users/krishna.html?lenya.continuation=6e26642f5f75737c6749155d5437785d60253664&old-password=sample&new-password=sample18&confirm-password=sample2&submit=Submit 
>>>
>>>  
>>>
>>
>> that's bad ;-) but I think this is not the only place where the 
>> password can be seen.
>>
>> You might want to file an enhancement bug on this
>
>
> I guess we could change the method to POST first (we should do that
> anyway for those forms). Maybe it makes sense to use SSL for the
> password usecase.


+1

whereas I am not sure if every servlet container is supporting SSL 
out-of-the-box
and it would probably make sense to make this configurable.

Michi

>
> -- Andreas
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
> For additional commands, e-mail: user-help@lenya.apache.org
>
>


-- 
Michael Wechner
Wyona Inc.  -   Open Source Content Management   -   Apache Lenya
http://www.wyona.com                      http://lenya.apache.org
michael.wechner@wyona.com                        michi@apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org

Re: Lenya reveals password in the url

Posted by Andreas Hartmann <an...@apache.org>.

Michael Wechner wrote:
> gkrishna wrote:
> 
>> If the password authentication fails when a user is trying to change 
>> his password. it is revealed in the site url
>>
>> http://localhost:8080/lenya/blog/admin/users/krishna.html?lenya.continuation=6e26642f5f75737c6749155d5437785d60253664&old-password=sample&new-password=sample18&confirm-password=sample2&submit=Submit 
>>
>>  
>>
> 
> that's bad ;-) but I think this is not the only place where the password 
> can be seen.
> 
> You might want to file an enhancement bug on this

I guess we could change the method to POST first (we should do that
anyway for those forms). Maybe it makes sense to use SSL for the
password usecase.

-- Andreas


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org

Re: Lenya reveals password in the url

Posted by Michael Wechner <mi...@wyona.com>.

gkrishna wrote:

>If the password authentication fails when a user is trying to change his password. it is revealed in the site url
>
>http://localhost:8080/lenya/blog/admin/users/krishna.html?lenya.continuation=6e26642f5f75737c6749155d5437785d60253664&old-password=sample&new-password=sample18&confirm-password=sample2&submit=Submit
>  
>

that's bad ;-) but I think this is not the only place where the password 
can be seen.

You might want to file an enhancement bug on this

Thanks

Michi

>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
>For additional commands, e-mail: user-help@lenya.apache.org
>
>
>  
>


-- 
Michael Wechner
Wyona Inc.  -   Open Source Content Management   -   Apache Lenya
http://www.wyona.com                      http://lenya.apache.org
michael.wechner@wyona.com                        michi@apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org