savannah-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-dev] [Bug #1631] login failure + password sent in clear text

From: nobody
Subject: [Savannah-dev] [Bug #1631] login failure + password sent in clear text
Date: Wed, 06 Nov 2002 15:18:34 -0500 
=================== BUG #1631: FULL BUG SNAPSHOT ===================
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=1631&group_id=11

Submitted by: adl                       Project: Savannah                       
Submitted on: 2002-Nov-06 20:18
Category:  Site Admin                   Severity:  5 - Average                  
Priority:  None                         Bug Group:  None                        
Resolution:  None                       Assigned to:  None                      
Status:  Open                           Effort:  0.00                           

Summary:  login failure + password sent in clear text

Original Submission:  Hi People,

It seems there is something rotten in the login process.

1. I went to https://savannah.gnu.org/account/login.php
2. Filled my login (adl), and my password
3. Left the checkboxes in their default state:
   [X] Stay in SSL mode after login
   [ ] Remember me
   [ ] Login also in savannah.nongnu.org
4. Clicked [Login]
5. And got

| Bad Request
| 
| Your browser sent a request that this server could not understand.
| 
| The request line contained invalid characters following the protocol string.

At this point the URL displayed is

http://savannah.nongnu.org//account/login.php?form_loginname=adl&form_pw=XX 
YYYYY&cookie_for_a_year=&from_brother=1&login=1

Where `XX YYYYY' stands for my password in clear text, which contains
a space.

I have a few concerns here

1) Apparently I've been redirected from a HTTPS page to plain HTTP page, and
   my password is being sent as clear text over the Internet. 

2) Spaces in the redircted URL aren't escaped (I suspect that 
   other "unsafe" characters listed in RFC 1738 aren't escaped either). 
   If I replace this space by %20 and reload the page I finally 
   end up to my "my/" page.

3) I didn't asked to login in s.nongnu.o!


FWIW, I'm using Netscape 4.77 which, AFAIK, uses given URLs as-is (I
know some other browsers fix broken URLs themselve, by quoting unsafe
characters).




No Followups Have Been Posted


CC list is empty


No files currently attached


For detailed info, follow this link:
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=1631&group_id=11
reply via email to
[Prev in Thread] Current Thread [Next in Thread]