"Security Issue" in Entry Properties plug in
Posted: Mon Nov 24, 2008 3:32 pm
I today stumbled over a security issue (more or less) in the Entry Properties plug in (serendipity_event_entryproperties).
The issue is only relevant to multi-user blogs.
If a user logged in and saves his password inside the browser (what a lot of people do), the password form when creating a new entry will be filled automatically by the browser. If a user does not double-check the form and posts the entry, the entry will be protected with the user's login password.
If another user now edits this entry, the password form will contain the password set for this entry. In this case it's the user's login password which can now be read from the HTML code.
To avoid that the password field will be filled automatically by the browser, the autocomplete="off" attribute should be appended to it.
And yes, this really happend at one of my s9y blogs
and I can imagine that this could happen quite more.
Best,
Sebastian
The issue is only relevant to multi-user blogs.
If a user logged in and saves his password inside the browser (what a lot of people do), the password form when creating a new entry will be filled automatically by the browser. If a user does not double-check the form and posts the entry, the entry will be protected with the user's login password.
If another user now edits this entry, the password form will contain the password set for this entry. In this case it's the user's login password which can now be read from the HTML code.
To avoid that the password field will be filled automatically by the browser, the autocomplete="off" attribute should be appended to it.
And yes, this really happend at one of my s9y blogs
and I can imagine that this could happen quite more.Best,
Sebastian
