You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@lenya.apache.org by gkrishna <gk...@interchange.ubc.ca> on 2005/03/26 06:41:27 UTC
Lenya reveals password in the url
If the password authentication fails when a user is trying to change his password. it is revealed in the site url
http://localhost:8080/lenya/blog/admin/users/krishna.html?lenya.continuation=6e26642f5f75737c6749155d5437785d60253664&old-password=sample&new-password=sample18&confirm-password=sample2&submit=Submit
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org
Re: Lenya reveals password in the url
Posted by Michael Wechner <mi...@wyona.com>.
Andreas Hartmann wrote:
> Michael Wechner wrote:
>
>> gkrishna wrote:
>>
>>> If the password authentication fails when a user is trying to change
>>> his password. it is revealed in the site url
>>>
>>> http://localhost:8080/lenya/blog/admin/users/krishna.html?lenya.continuation=6e26642f5f75737c6749155d5437785d60253664&old-password=sample&new-password=sample18&confirm-password=sample2&submit=Submit
>>>
>>>
>>>
>>
>> that's bad ;-) but I think this is not the only place where the
>> password can be seen.
>>
>> You might want to file an enhancement bug on this
>
>
> I guess we could change the method to POST first (we should do that
> anyway for those forms). Maybe it makes sense to use SSL for the
> password usecase.
+1
whereas I am not sure if every servlet container is supporting SSL
out-of-the-box
and it would probably make sense to make this configurable.
Michi
>
> -- Andreas
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
> For additional commands, e-mail: user-help@lenya.apache.org
>
>
--
Michael Wechner
Wyona Inc. - Open Source Content Management - Apache Lenya
http://www.wyona.com http://lenya.apache.org
michael.wechner@wyona.com michi@apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org
Re: Lenya reveals password in the url
Posted by Andreas Hartmann <an...@apache.org>.
Michael Wechner wrote:
> gkrishna wrote:
>
>> If the password authentication fails when a user is trying to change
>> his password. it is revealed in the site url
>>
>> http://localhost:8080/lenya/blog/admin/users/krishna.html?lenya.continuation=6e26642f5f75737c6749155d5437785d60253664&old-password=sample&new-password=sample18&confirm-password=sample2&submit=Submit
>>
>>
>>
>
> that's bad ;-) but I think this is not the only place where the password
> can be seen.
>
> You might want to file an enhancement bug on this
I guess we could change the method to POST first (we should do that
anyway for those forms). Maybe it makes sense to use SSL for the
password usecase.
-- Andreas
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org
Re: Lenya reveals password in the url
Posted by Michael Wechner <mi...@wyona.com>.
gkrishna wrote:
>If the password authentication fails when a user is trying to change his password. it is revealed in the site url
>
>http://localhost:8080/lenya/blog/admin/users/krishna.html?lenya.continuation=6e26642f5f75737c6749155d5437785d60253664&old-password=sample&new-password=sample18&confirm-password=sample2&submit=Submit
>
>
that's bad ;-) but I think this is not the only place where the password
can be seen.
You might want to file an enhancement bug on this
Thanks
Michi
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
>For additional commands, e-mail: user-help@lenya.apache.org
>
>
>
>
--
Michael Wechner
Wyona Inc. - Open Source Content Management - Apache Lenya
http://www.wyona.com http://lenya.apache.org
michael.wechner@wyona.com michi@apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org