Clearly the wrong way to remember
-
I signed up for a bunch of the secinfo mailings lists. You see about three or four notices on the list per day, mostly xss, sql-inject and a few buffer overflows. Nothing spooktacular, certainly nothing that made me literally stop and "wtf" out loud. Until today:
[url=http://packetstormsecurity.org/files/115503/groupoffice-disclose.txt]http://packetstormsecurity.org/files/115503/groupoffice-disclose.txt[/url]
When logging into the application, if a user ticks the 'Remember my login on
this computer until I press logout' box, and then successfully logs into the
application, two cookies ('GO_UN' and 'GO_PW') are returned. [b]These cookies
contain the user's username and cleartext password respectively.[/b]
-
And if they don't click that button, how does it know which user is logged in?
-
How else are they supposed to remember your login? Session keys? Bah!
-
They also don't set the secure flag on them? I mean it's listed as fixed a few days after it was reported but still.
-
@Lorne Kates said:
I signed up for a bunch of the secinfo mailings lists. You see about three or four notices on the list per day, mostly xss, sql-inject and a few buffer overflows. Nothing spooktacular, certainly nothing that made me literally stop and "wtf" out loud. Until today:
When logging into the application, if a user ticks the 'Remember my login on
this computer until I press logout' box, and then successfully logs into the
application, two cookies ('GO_UN' and 'GO_PW') are returned. These cookies
contain the user's username and cleartext password respectively.Do they read the cookies in javascript and pre-fill/pre-submit the login form, or is it processed server-side? I don't know which is best.