Critical Watch - Autocomplete Password in Browser Vulnerability

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Critical Watch - Autocomplete Password in Browser Vulnerability

amlan.geronimo
Hi Team, When I try to login in Geronimo Admin console with admin credential(system/system's password). Then browser (in my case IE) ask whether I like to save my password? If I click ok then it saves the password in the form of browser cookie. My question is how can I stop this using autocomplete="off" and at which file we will make this change. Please help. -Amlan
Reply | Threaded
Open this post in threaded view
|

Re: Critical Watch - Autocomplete Password in Browser Vulnerability

Kevin Huntly

You can tell internet explorer (and any other browser) not to save passwords.. I believe the setting is under tools -> internet options -> security, select internet and then select "custom level". Alternately if you say no to that prompt I believe it asks if you want to save passwords in the future, to which you can say no as well.

________________________________________________

Kevin Huntly
79 Aurora Drive
Cheektowaga, NY 14215
Email: [hidden email]
Cell: (716) 341-5669
LinkedIn: http://www.linkedin.com/in/kevinhuntly
________________________________________________

-----BEGIN GEEK CODE BLOCK-----
Version: 1.0
GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
PGP++(+++) t+ 5-- X-- R+ tv+ b++  DI++ D++
G++ e(+) h--- r+++ y+++*
------END GEEK CODE BLOCK------

On Jan 15, 2015 8:21 AM, "amlan.geronimo" <[hidden email]> wrote:
Hi Team, When I try to login in Geronimo Admin console with admin credential(system/system's password). Then browser (in my case IE) ask whether I like to save my password? If I click ok then it saves the password in the form of browser cookie. My question is how can I stop this using autocomplete="off" and at which file we will make this change. Please help. -Amlan

View this message in context: Critical Watch - Autocomplete Password in Browser Vulnerability
Sent from the Users mailing list archive at Nabble.com.
Reply | Threaded
Open this post in threaded view
|

Re: Critical Watch - Autocomplete Password in Browser Vulnerability

amlan.geronimo
Thank you Kevin for your reply!! Can we stop this programmatically? so that Browser will not ask for this again. -Amlan
Reply | Threaded
Open this post in threaded view
|

Re: Critical Watch - Autocomplete Password in Browser Vulnerability

Kevin Huntly

Yeah there's an option on the form for it - autocomplete = "off" but not all browsers honor it

________________________________________________

Kevin Huntly
79 Aurora Drive
Cheektowaga, NY 14215
Email: [hidden email]
Cell: (716) 341-5669
LinkedIn: http://www.linkedin.com/in/kevinhuntly
________________________________________________

-----BEGIN GEEK CODE BLOCK-----
Version: 1.0
GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
PGP++(+++) t+ 5-- X-- R+ tv+ b++  DI++ D++
G++ e(+) h--- r+++ y+++*
------END GEEK CODE BLOCK------

On Jan 15, 2015 9:29 AM, "amlan.geronimo" <[hidden email]> wrote:
Thank you Kevin for your reply!! Can we stop this programmatically? so that Browser will not ask for this again. -Amlan

View this message in context: Re: Critical Watch - Autocomplete Password in Browser Vulnerability
Sent from the Users mailing list archive at Nabble.com.
Reply | Threaded
Open this post in threaded view
|

Re: Critical Watch - Autocomplete Password in Browser Vulnerability

amlan.geronimo
Many Thanks Kevin!! I will try with another browser and will give my update. -Amlan
Reply | Threaded
Open this post in threaded view
|

Re: Critical Watch - Autocomplete Password in Browser Vulnerability

               
Any advise?

Thank you in advance!!

- Amlan

amlan.geronimo
Kevin & All forum friends,

I tried with Mozilla firefox. But this time also no luck for me.

I updated at login.jsp file under "org/apache/geronimo/plugins/console-tomcat/2.1.8/console-tomc
at-2.1.8.car/portal-driver.war"

$ grep autocomplete login.jsp
               
<input name="j_username" type="text" autocomplete="off" class="InputField" value="" size="20px"/><input name="j_password" type="password" autocomplete="off" class="InputField" value="" size="20px"/>
Reply | Threaded
Open this post in threaded view
|

Re: Critical Watch - Autocomplete Password in Browser Vulnerability

Kevin Huntly

Not on my side - its not accepted by all browsers (usually that just means IE) so I'm not sure what to say. I haven't had issues with it, but I also disable password saving entirely in the browser itself.

________________________________________________

Kevin Huntly
79 Aurora Drive
Cheektowaga, NY 14215
Email: [hidden email]
Cell: (716) 341-5669
LinkedIn: http://www.linkedin.com/in/kevinhuntly
________________________________________________

-----BEGIN GEEK CODE BLOCK-----
Version: 1.0
GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
PGP++(+++) t+ 5-- X-- R+ tv+ b++  DI++ D++
G++ e(+) h--- r+++ y+++*
------END GEEK CODE BLOCK------

On Jan 16, 2015 8:10 AM, "amlan.geronimo" <[hidden email]> wrote:
Kevin & All forum friends,

I tried with Mozilla firefox. But this time also no luck for me.

I updated at login.jsp file under
"org/apache/geronimo/plugins/console-tomcat/2.1.8/console-tomc
at-2.1.8.car/portal-driver.war"

$ grep autocomplete login.jsp
                        <input name="j_username" type="text" autocomplete="off"
class="InputField" value="" size="20px"/>
                        <input name="j_password" type="password" autocomplete="off"
class="InputField" value="" size="20px"/>

Any advise?

Thank you in advance!!

- Amlan





--
View this message in context: http://apache-geronimo.328035.n3.nabble.com/Critical-Watch-Autocomplete-Password-in-Browser-Vulnerability-tp3988677p3988684.html
Sent from the Users mailing list archive at Nabble.com.