HTML Help Forum Index HTML Help
Please Search for the answer to your question before asking it! Thanks.
 

Major security problem
Post a Reply to this Topic Ask a New Question
Click here to go to the original topic
       HTML Help Forum Index -> Feedback
View previous topic :: View next topic  
Author Message
degsy



Joined: 23 Feb 2005
Posts: 2440
Location: North East, UK
Posted: Wed Mar 08, 2006 9:44 am     Major security problem  
Not exactly sure why this happens, maybe due to your mod_rewrite code or other mods, but when you login your password is displayed in the address bar.
The form is using POST, but i'm guessing you have some kind of redirect back to the index and it is showing all the login data in the address bar.

Not very secure at all. This method should not be used for submitting sensitive data.
zylstra



Joined: 10 May 2004
Posts: 130
Posted: Thu Mar 09, 2006 2:25 pm      
It is true that the information shows in the address bar. Do you think it is insecure because other people using the same computer would be able to see it? Post hides the information from the address bar, but the information is still available in the HTTP header being sent across the internet.
degsy



Joined: 23 Feb 2005
Posts: 2440
Location: North East, UK
Posted: Thu Mar 09, 2006 5:17 pm      
Are you saying that the fact that when a user enters ther username & password to login is display in the address bar doesn't bother you?

If so then you have no right to be admin of a board, espeically a one that offers help for HTML Forms and Serverside coding.


I can think of no situation where a users login information would or should be available via the address bar.
zylstra



Joined: 10 May 2004
Posts: 130
Posted: Mon Mar 20, 2006 10:17 pm      
degsy, please tell me why you think it is important that the address bar not show the password.
degsy



Joined: 23 Feb 2005
Posts: 2440
Location: North East, UK
Posted: Tue Mar 21, 2006 11:00 am      
The programmers have gone to alot of trouble to setup a board with many security functions.

One of them was the industry standard of using POST to submit data, especially usernames & passwords. They even hash them in the database for security.

Having the password show in the address bar is just bad practice.
Anyone could be looking over your shoulder and see it. The url can be cached and also bookmarked.


Is there any reason why you have decied to go against the original board coding and that coding of nearly every other major forum script by using GET and allowing the data to be viewed in the address bar?
 
 
DARFUR
Get a Stop the Genocide poster at SaveDarfur.org.
Also see Eyes on Darfur.
HOSTING / DESIGN
$1.99 Domain Registration
Cheap Web Hosting
Website Templates
MAKE MONEY
Sell Domain Names
Sell Website Templates

       HTML Help Forum Index -> Feedback
Page 1 of 1


Powered by phpBB Search Engine Indexer
Powered by phpBB 2.0.19 © 2001, 2002 phpBB Group