Clearly the wrong way to remember


  • Trolleybus Mechanic

     I signed up for a bunch of the secinfo mailings lists. You see about three or four notices on the list per day, mostly xss, sql-inject and a few buffer overflows. Nothing spooktacular, certainly nothing that made me literally stop and "wtf" out loud. Until today:

    [url=http://packetstormsecurity.org/files/115503/groupoffice-disclose.txt]http://packetstormsecurity.org/files/115503/groupoffice-disclose.txt[/url]

    When logging into the application, if a user ticks the 'Remember my login on
    this computer until I press logout' box, and then successfully logs into the
    application, two cookies ('GO_UN' and 'GO_PW') are returned. [b]These cookies
    contain the user's username and cleartext password respectively.[/b]

     



  • And if they don't click that button, how does it know which user is logged in?



  • How else are they supposed to remember your login? Session keys? Bah!



  • They also don't set the secure flag on them?  I mean it's listed as fixed a few days after it was reported but still.



  • @Lorne Kates said:

     I signed up for a bunch of the secinfo mailings lists. You see about three or four notices on the list per day, mostly xss, sql-inject and a few buffer overflows. Nothing spooktacular, certainly nothing that made me literally stop and "wtf" out loud. Until today:

    When logging into the application, if a user ticks the 'Remember my login on
    this computer until I press logout' box, and then successfully logs into the
    application, two cookies ('GO_UN' and 'GO_PW') are returned. These cookies
    contain the user's username and cleartext password respectively.

     

    Do they read the cookies in javascript and pre-fill/pre-submit the login form, or is it processed server-side? I don't know which is best.


Log in to reply