Critical Watch - Autocomplete Password in Browser Vulnerability

Discussion:

amlan.geronimo

2015-01-15 13:20:25 UTC

Hi Team,When I try to login in Geronimo Admin console with admin
credential(system/system's password). Then browser (in my case IE) ask
whether I like to save my password? If I click ok then it saves the password
in the form of browser cookie. My question is how can I stop this using
autocomplete="off" and at which file we will make this change.Please
help.-Amlan

--
View this message in context: http://apache-geronimo.328035.n3.nabble.com/Critical-Watch-Autocomplete-Password-in-Browser-Vulnerability-tp3988677.html
Sent from the Users mailing list archive at Nabble.com.

Kevin Huntly

2015-01-15 13:41:35 UTC

Permalink

You can tell internet explorer (and any other browser) not to save
passwords.. I believe the setting is under tools -> internet options ->
security, select internet and then select "custom level". Alternately if
you say no to that prompt I believe it asks if you want to save passwords
in the future, to which you can say no as well.

________________________________________________

Kevin Huntly
79 Aurora Drive
Cheektowaga, NY 14215
Email: ***@gmail.com
Cell: (716) 341-5669
LinkedIn: http://www.linkedin.com/in/kevinhuntly
________________________________________________

-----BEGIN GEEK CODE BLOCK-----
Version: 1.0
GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++
G++ e(+) h--- r+++ y+++*
------END GEEK CODE BLOCK------

Hi Team, When I try to login in Geronimo Admin console with admin
credential(system/system's password). Then browser (in my case IE) ask
whether I like to save my password? If I click ok then it saves the
password in the form of browser cookie. My question is how can I stop this
using autocomplete="off" and at which file we will make this change. Please
help. -Amlan
------------------------------
View this message in context: Critical Watch - Autocomplete Password in
Browser Vulnerability
<http://apache-geronimo.328035.n3.nabble.com/Critical-Watch-Autocomplete-Password-in-Browser-Vulnerability-tp3988677.html>
Sent from the Users mailing list archive
<http://apache-geronimo.328035.n3.nabble.com/Users-f328036.html> at
Nabble.com.

amlan.geronimo

2015-01-15 14:28:09 UTC

Permalink

Thank you Kevin for your reply!!Can we stop this programmatically?so that
Browser will not ask for this again. -Amlan

--
View this message in context: http://apache-geronimo.328035.n3.nabble.com/Critical-Watch-Autocomplete-Password-in-Browser-Vulnerability-tp3988677p3988679.html
Sent from the Users mailing list archive at Nabble.com.

Kevin Huntly

2015-01-15 14:35:52 UTC

Permalink

Yeah there's an option on the form for it - autocomplete = "off" but not
all browsers honor it

________________________________________________

Kevin Huntly
79 Aurora Drive
Cheektowaga, NY 14215
Email: ***@gmail.com
Cell: (716) 341-5669
LinkedIn: http://www.linkedin.com/in/kevinhuntly
________________________________________________

-----BEGIN GEEK CODE BLOCK-----
Version: 1.0
GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++
G++ e(+) h--- r+++ y+++*
------END GEEK CODE BLOCK------

Thank you Kevin for your reply!! Can we stop this programmatically? so
that Browser will not ask for this again. -Amlan
------------------------------
View this message in context: Re: Critical Watch - Autocomplete Password
in Browser Vulnerability
<http://apache-geronimo.328035.n3.nabble.com/Critical-Watch-Autocomplete-Password-in-Browser-Vulnerability-tp3988677p3988679.html>
Sent from the Users mailing list archive
<http://apache-geronimo.328035.n3.nabble.com/Users-f328036.html> at
Nabble.com.

amlan.geronimo

2015-01-15 16:37:01 UTC

Permalink

Many Thanks Kevin!! I will try with another browser and will give my
update. -Amlan

--
View this message in context: http://apache-geronimo.328035.n3.nabble.com/Critical-Watch-Autocomplete-Password-in-Browser-Vulnerability-tp3988677p3988682.html
Sent from the Users mailing list archive at Nabble.com.

amlan.geronimo

2015-01-16 13:09:38 UTC

Permalink

Kevin & All forum friends,

I tried with Mozilla firefox. But this time also no luck for me.

I updated at login.jsp file under
"org/apache/geronimo/plugins/console-tomcat/2.1.8/console-tomc
at-2.1.8.car/portal-driver.war"

$ grep autocomplete login.jsp
<input name="j_username" type="text" autocomplete="off"
class="InputField" value="" size="20px"/>
<input name="j_password" type="password" autocomplete="off"
class="InputField" value="" size="20px"/>

Any advise?

Thank you in advance!!

- Amlan

--
View this message in context: http://apache-geronimo.328035.n3.nabble.com/Critical-Watch-Autocomplete-Password-in-Browser-Vulnerability-tp3988677p3988684.html
Sent from the Users mailing list archive at Nabble.com.

Kevin Huntly

2015-01-16 21:16:45 UTC

Permalink

Not on my side - its not accepted by all browsers (usually that just means
IE) so I'm not sure what to say. I haven't had issues with it, but I also
disable password saving entirely in the browser itself.

________________________________________________

Kevin Huntly
79 Aurora Drive
Cheektowaga, NY 14215
Email: ***@gmail.com
Cell: (716) 341-5669
LinkedIn: http://www.linkedin.com/in/kevinhuntly
________________________________________________

-----BEGIN GEEK CODE BLOCK-----
Version: 1.0
GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++
G++ e(+) h--- r+++ y+++*
------END GEEK CODE BLOCK------

Post by amlan.geronimo
Kevin & All forum friends,
I tried with Mozilla firefox. But this time also no luck for me.
I updated at login.jsp file under
"org/apache/geronimo/plugins/console-tomcat/2.1.8/console-tomc
at-2.1.8.car/portal-driver.war"
$ grep autocomplete login.jsp
<input name="j_username" type="text"
autocomplete="off"
class="InputField" value="" size="20px"/>
<input name="j_password" type="password" autocomplete="off"
class="InputField" value="" size="20px"/>
Any advise?
Thank you in advance!!
- Amlan
--
http://apache-geronimo.328035.n3.nabble.com/Critical-Watch-Autocomplete-Password-in-Browser-Vulnerability-tp3988677p3988684.html
Sent from the Users mailing list archive at Nabble.com.