You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@rocketmq.apache.org by "viccctor (via GitHub)" <gi...@apache.org> on 2023/03/20 08:11:07 UTC

[GitHub] [rocketmq-dashboard] viccctor opened a new issue, #154: Password exposure through query strings in url

viccctor opened a new issue, #154:
URL: https://github.com/apache/rocketmq-dashboard/issues/154

   The issue tracker is **ONLY** used for bug report and feature request. 
   
   Any question or RocketMQ proposal please use our [mailing lists](http://rocketmq.apache.org/about/contact/).
   
   **BUG REPORT**
   
   1. Please describe the issue you observed:
   
   - What did you do (The steps to reproduce)?
   
   make a login to dashboard
   
   - What did you expect to see?
   
   login credentials in POST body
   
   - What did you see instead?
   
   login credentials in POST param
   
   2. Please tell us about your environment:
   
   Latest version
   
   3. Other information (e.g. detailed explanation, logs, related issues, suggestions how to fix, etc):
   
   In nginx access log, we can see `POST /login/login.do?password=12312112&username=admin`
   
   [Information exposure](https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url) through query strings in URL is when sensitive data is passed to parameters in the URL. This allows attackers to obtain sensitive data such as usernames, passwords, tokens (authX), database details, and any other potentially sensitive data. Simply using HTTPS does not resolve this vulnerability. 
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@rocketmq.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [rocketmq-dashboard] Oliverwqcwrw commented on issue #154: Password exposure through query strings in url

Posted by "Oliverwqcwrw (via GitHub)" <gi...@apache.org>.
Oliverwqcwrw commented on issue #154:
URL: https://github.com/apache/rocketmq-dashboard/issues/154#issuecomment-1479554055

   IMO, the appropriate authentication and authorization mechanism should be selected according to the usage scenarios. 
   
   dashboard may be used more by internal teams rather than complicated authentication algorithms. 
   
   Of course, we can also provide a variety of authentication methods for users to choose from, like the JWT you mentioned.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@rocketmq.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [rocketmq-dashboard] Abhijeetmishr commented on issue #154: Password exposure through query strings in url

Posted by "Abhijeetmishr (via GitHub)" <gi...@apache.org>.
Abhijeetmishr commented on issue #154:
URL: https://github.com/apache/rocketmq-dashboard/issues/154#issuecomment-1479049178

   @viccctor @Oliverwqcwrw should I work on this ?
   Approach :-
    we can use Request Body instead of request param.
    if we further wan't to improve security we can implement JWT based authentication using public and private key for encryption/decryption.
    
    @Oliverwqcwrw What is your take on this ? I will be continue to find approach what else we can do.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@rocketmq.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org