Login form allows autocompletion by browser
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Fix Released
|
Medium
|
Jesse Pretorius |
Bug Description
The AUTOCOMPLETE attribute, which is used by web developers to indicate when web browsers should retain information relating to web forms, is not disabled on form input elements relating to passwords.
An attacker, who gains access to the computer, either locally or through some remote compromise, can capture the stored credentials. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.
It is recommended that the AUTOCOMPLETE attribute on all sensitive forms should be disabled.
I have prepared a suggested patch in this pull request: https:/
Changed in horizon: | |
assignee: | nobody → Jesse Pretorius (jesse-pretorius) |
Changed in horizon: | |
importance: | Undecided → Medium |
milestone: | none → grizzly-3 |
Changed in horizon: | |
status: | Fix Committed → Fix Released |
Changed in horizon: | |
milestone: | grizzly-3 → 2013.1 |
Adding PTL for comments.
While I think this definitely should be fixed as a strengthening measure, I don't think this warrants an information embargo and security advisory, as it relies on another exploit to be used.
Any chance you could submit your patch following http:// wiki.openstack. org/GerritWorkf low ? If not, do you mind if someone picks it up and proposes it (with proper credit on the commit message) ?
Setting this to public since the github pull req is public.