[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-dev] [Bug #1631] login failure + password sent in clear text
From: |
nobody |
Subject: |
[Savannah-dev] [Bug #1631] login failure + password sent in clear text |
Date: |
Wed, 06 Nov 2002 15:46:01 -0500 |
=================== BUG #1631: LATEST MODIFICATIONS ==================
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=1631&group_id=11
Changes by: Mathieu Roy <address@hidden>
Date: 2002-Nov-06 21:46 (Europe/Paris)
What | Removed | Added
---------------------------------------------------------------------------
Severity | 5 - Average | 7 - Major
Priority | None | Immediate
Assigned to | None | yeupou
------------------ Additional Follow-up Comments ----------------------------
This is weird. I do not understand why when you do not ask for login in
sv.nongnu.org it tries to redirect you there.
But your "2) Spaces in the redircted URL aren't escaped (I suspect that
other "unsafe" characters listed in RFC 1738 aren't escaped either).
If I replace this space by %20 and reload the page I finally
end up to my "my/" page. " hit a bug previously listed. Unfortunately I do not
have time to fix that directly.
This feature "log in also in nongnu.org" as been added in a hurry, but it
obviously need to be rewritten, or heavily fixed. For now, I havent many ideas
to improve it. I'll think about it and try to do something on Friday. Tomorrow,
I'll be at university the most of the day.
=================== BUG #1631: FULL BUG SNAPSHOT ===================
Submitted by: adl Project: Savannah
Submitted on: 2002-Nov-06 21:18
Category: Site Admin Severity: 7 - Major
Priority: Immediate Bug Group: None
Resolution: None Assigned to: yeupou
Status: Open Effort: 0.00
Summary: login failure + password sent in clear text
Original Submission: Hi People,
It seems there is something rotten in the login process.
1. I went to https://savannah.gnu.org/account/login.php
2. Filled my login (adl), and my password
3. Left the checkboxes in their default state:
[X] Stay in SSL mode after login
[ ] Remember me
[ ] Login also in savannah.nongnu.org
4. Clicked [Login]
5. And got
| Bad Request
|
| Your browser sent a request that this server could not understand.
|
| The request line contained invalid characters following the protocol string.
At this point the URL displayed is
http://savannah.nongnu.org//account/login.php?form_loginname=adl&form_pw=XX
YYYYY&cookie_for_a_year=&from_brother=1&login=1
Where `XX YYYYY' stands for my password in clear text, which contains
a space.
I have a few concerns here
1) Apparently I've been redirected from a HTTPS page to plain HTTP page, and
my password is being sent as clear text over the Internet.
2) Spaces in the redircted URL aren't escaped (I suspect that
other "unsafe" characters listed in RFC 1738 aren't escaped either).
If I replace this space by %20 and reload the page I finally
end up to my "my/" page.
3) I didn't asked to login in s.nongnu.o!
FWIW, I'm using Netscape 4.77 which, AFAIK, uses given URLs as-is (I
know some other browsers fix broken URLs themselve, by quoting unsafe
characters).
Follow-up Comments
*******************
-------------------------------------------------------
Date: 2002-Nov-06 21:46 By: yeupou
This is weird. I do not understand why when you do not ask for login in
sv.nongnu.org it tries to redirect you there.
But your "2) Spaces in the redircted URL aren't escaped (I suspect that
other "unsafe" characters listed in RFC 1738 aren't escaped either).
If I replace this space by %20 and reload the page I finally
end up to my "my/" page. " hit a bug previously listed. Unfortunately I do not
have time to fix that directly.
This feature "log in also in nongnu.org" as been added in a hurry, but it
obviously need to be rewritten, or heavily fixed. For now, I havent many ideas
to improve it. I'll think about it and try to do something on Friday. Tomorrow,
I'll be at university the most of the day.
CC list is empty
No files currently attached
For detailed info, follow this link:
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=1631&group_id=11