| View previous topic :: View next topic |
| Author |
Message |
eljugg
Guest
|
 Posted: Mon Nov 21, 2011 8:25 pm Post subject: SSL login/password sent in plain text |
 |
|
After being away from my computer for a bit, I refreshed the page with my scheduled snipes at this page (replace <username>):
| Quote: | | gixen.com/home_2.php?username=<username>&mirror=1 |
Due to a timeout, I received this error:
| Quote: | | Session expired. Please sign in again. |
The top of this page also has the normal login form including this notice:
| Quote: | | Login is SSL protected. |
I noticed after logging in no h.t.t.p.s page was hit. This is the login form (html) from the above page:
| Code: | | <form id="form1" name="form1" method="post" action="home_1.php"> |
This needs to be fixed/changed to what the homepage has (with h.t.t.p.s action):
| Code: | | <form id="form1" name="form1" method="post" action="h.t.t.p.s://w.w.w.gixen.com/home_1.php"> |
I suggest checking other places where a login might appear (with home_1.php as the action) and verifying they are all h.t.t.p.s actions. It might be worth considering making all pages h.t.t.p.s after logging in. I realize this is a free (for most) service and I have found it useful thus far, however having my ebay login and password sent in plain text when I'm explicitly told it won't be is unacceptable.
Thanks.
* To get past your spam filter I had to use h.t.t.p.s and w.w.w in my explanation |
|
| Back to top |
|
 |
mario
Site Admin
Joined: 03 Oct 2006
Posts: 7267
|
| Posted: Mon Nov 21, 2011 8:50 pm Post subject: |
|
|
| Thank you for the report and my apologies, this is indeed a bug, the form shown after session expires indeed contained an insecure target link for the login. This is fixed now. |
|
| Back to top |
|
|
eljugg
Guest
|
| Posted: Tue Nov 22, 2011 5:44 am Post subject: |
|
|
| Thanks for the quick turnaround on this issue! |
|
| Back to top |
|
|
|
Search
