[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-dev] [Bug #1631] login failure + password sent in clear text
From: |
nobody |
Subject: |
[Savannah-dev] [Bug #1631] login failure + password sent in clear text |
Date: |
Wed, 06 Nov 2002 15:18:34 -0500 |
=================== BUG #1631: FULL BUG SNAPSHOT ===================
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=1631&group_id=11
Submitted by: adl Project: Savannah
Submitted on: 2002-Nov-06 20:18
Category: Site Admin Severity: 5 - Average
Priority: None Bug Group: None
Resolution: None Assigned to: None
Status: Open Effort: 0.00
Summary: login failure + password sent in clear text
Original Submission: Hi People,
It seems there is something rotten in the login process.
1. I went to https://savannah.gnu.org/account/login.php
2. Filled my login (adl), and my password
3. Left the checkboxes in their default state:
[X] Stay in SSL mode after login
[ ] Remember me
[ ] Login also in savannah.nongnu.org
4. Clicked [Login]
5. And got
| Bad Request
|
| Your browser sent a request that this server could not understand.
|
| The request line contained invalid characters following the protocol string.
At this point the URL displayed is
http://savannah.nongnu.org//account/login.php?form_loginname=adl&form_pw=XX
YYYYY&cookie_for_a_year=&from_brother=1&login=1
Where `XX YYYYY' stands for my password in clear text, which contains
a space.
I have a few concerns here
1) Apparently I've been redirected from a HTTPS page to plain HTTP page, and
my password is being sent as clear text over the Internet.
2) Spaces in the redircted URL aren't escaped (I suspect that
other "unsafe" characters listed in RFC 1738 aren't escaped either).
If I replace this space by %20 and reload the page I finally
end up to my "my/" page.
3) I didn't asked to login in s.nongnu.o!
FWIW, I'm using Netscape 4.77 which, AFAIK, uses given URLs as-is (I
know some other browsers fix broken URLs themselve, by quoting unsafe
characters).
No Followups Have Been Posted
CC list is empty
No files currently attached
For detailed info, follow this link:
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=1631&group_id=11
- [Savannah-dev] [Bug #1631] login failure + password sent in clear text,
nobody <=