Bug #13255

SECURITY: unencrypted password exposure in query string from login page when submitting incorrect credentials

Added by Dan Gillean over 2 years ago. Updated over 1 year ago.

Status:VerifiedStart date:02/07/2020
Priority:MediumDue date:
Assignee:-% Done:

0%

Category:Security
Target version:Release 2.6.0
Google Code Legacy ID: Tested version:2.5, 2.6
Sponsored:No Requires documentation:No

Description

Reported via our security address 2020-02-07 by an information security company. Submitting a failed login attempt then exposes unencrypted credentials in subsequent page URLs.

To reproduce

  • Navigate to /user/login
  • Enter an incorrect user and password
  • On submission, the page will reload with an error message
  • Open the language menu, and hover over one of the available languages - examine the URL preview at the bottom of the browser

Resulting error

The password is thus included in the query string and if the user clicks on this link, this password will be stored in the browser history and will be found in the web server logs for example. See:

As a result, the credentials may be exposed in the following locations when using HTTP or HTTPS:

  • Referrer Header
  • Web Logs
  • Shared Systems
  • Browser History
  • Browser Cache
  • Shoulder Surfing

Expected result

Any authentication credentials should be managed using POST, not GET requests. The raw URLs should not expose any previous authentication information in an unencrypted form.

History

#1 Updated by Dan Gillean over 2 years ago

  • File auditSecurite_AtoM_RFValais_20200129_objectif-securite.pdf added
  • File mdp_url.png added

#3 Updated by José Raddaoui Marín almost 2 years ago

  • Status changed from New to Code Review
  • Assignee set to Douglas Cerna
  • Target version set to Release 2.6.0

Addressed in https://gitlab.artefactual.com/software-development/atom/-/merge_requests/2. See related ticket for less urgent follow-ups.

#4 Updated by Douglas Cerna almost 2 years ago

  • Status changed from Code Review to In progress
  • Assignee changed from Douglas Cerna to José Raddaoui Marín

Feedback provided in the PR.

#5 Updated by José Raddaoui Marín almost 2 years ago

  • Status changed from In progress to QA/Review
  • Assignee changed from José Raddaoui Marín to Dan Gillean

Merged in qa/2.6.x.

#6 Updated by Dan Gillean almost 2 years ago

  • Subject changed from SECURITY: unencrypted password exposure in query string from login page to SECURITY: unencrypted password exposure in query string from login page when submitting incorrect credentials
  • Status changed from QA/Review to Verified
  • Assignee deleted (Dan Gillean)

#7 Updated by Dan Gillean almost 2 years ago

  • File deleted (auditSecurite_AtoM_RFValais_20200129_objectif-securite.pdf)

#8 Updated by Dan Gillean almost 2 years ago

Removing the full security report in advance of making issue public with release.

#9 Updated by Dan Gillean almost 2 years ago

  • Description updated (diff)

#10 Updated by Dan Gillean almost 2 years ago

  • File deleted (mdp_url.png)

#11 Updated by Dan Gillean over 1 year ago

  • Private changed from Yes to No

Also available in: Atom PDF