Bug 572303
Summary: | Attempting to create a user following an expired admin session exposes username/passwd pair of new user in URL. | ||
---|---|---|---|
Product: | [Other] RHQ Project | Reporter: | Corey Welton <cwelton> |
Component: | Core Server | Assignee: | RHQ Project Maintainer <rhq-maint> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Mike Foley <mfoley> |
Severity: | high | Docs Contact: | |
Priority: | low | ||
Version: | 1.3.1 | CC: | ccrouch |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-09-03 16:55:19 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 585306 |
Description
Corey Welton
2010-03-10 19:40:11 UTC
Sniffing isn't an issue since the password has to be submitted somehow, and we support https to avoid plaintext. But still a security issue because of the display in the url bar. Talked to mschoene and he agreed this is a low priority and something we should be able to address during the update to gwt. This should no longer be an issue in coregui. passwords are visually obfuscated, not passed in URLs. used firebug to try and see the password, but could not Bulk closing of old issues that are in VERIFIED state. |