savannah-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-dev] [Bug #1631] login failure + password sent in clear text

From: nobody
Subject: [Savannah-dev] [Bug #1631] login failure + password sent in clear text
Date: Wed, 06 Nov 2002 15:46:01 -0500 
=================== BUG #1631: LATEST MODIFICATIONS ==================
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=1631&group_id=11

Changes by: Mathieu Roy <address@hidden>
Date: 2002-Nov-06 21:46 (Europe/Paris)

            What     | Removed                   | Added
---------------------------------------------------------------------------
            Severity | 5 - Average               | 7 - Major
            Priority | None                      | Immediate
         Assigned to | None                      | yeupou


------------------ Additional Follow-up Comments ----------------------------
This is weird. I do not understand why when you do not ask for login in 
sv.nongnu.org it tries to redirect you there.


But your "2) Spaces in the redircted URL aren't escaped (I suspect that
other "unsafe" characters listed in RFC 1738 aren't escaped either).
If I replace this space by %20 and reload the page I finally
end up to my "my/" page. " hit a bug previously listed. Unfortunately I do not 
have time to fix that directly.
This feature "log in also in nongnu.org" as been added in a hurry, but it 
obviously need to be rewritten, or heavily fixed. For now, I havent many ideas 
to improve it. I'll think about it and try to do something on Friday. Tomorrow, 
I'll be at university the most of the day.



=================== BUG #1631: FULL BUG SNAPSHOT ===================


Submitted by: adl                       Project: Savannah                       
Submitted on: 2002-Nov-06 21:18
Category:  Site Admin                   Severity:  7 - Major                    
Priority:  Immediate                    Bug Group:  None                        
Resolution:  None                       Assigned to:  yeupou                    
Status:  Open                           Effort:  0.00                           

Summary:  login failure + password sent in clear text

Original Submission:  Hi People,

It seems there is something rotten in the login process.

1. I went to https://savannah.gnu.org/account/login.php
2. Filled my login (adl), and my password
3. Left the checkboxes in their default state:
   [X] Stay in SSL mode after login
   [ ] Remember me
   [ ] Login also in savannah.nongnu.org
4. Clicked [Login]
5. And got

| Bad Request
| 
| Your browser sent a request that this server could not understand.
| 
| The request line contained invalid characters following the protocol string.

At this point the URL displayed is

http://savannah.nongnu.org//account/login.php?form_loginname=adl&form_pw=XX 
YYYYY&cookie_for_a_year=&from_brother=1&login=1

Where `XX YYYYY' stands for my password in clear text, which contains
a space.

I have a few concerns here

1) Apparently I've been redirected from a HTTPS page to plain HTTP page, and
   my password is being sent as clear text over the Internet. 

2) Spaces in the redircted URL aren't escaped (I suspect that 
   other "unsafe" characters listed in RFC 1738 aren't escaped either). 
   If I replace this space by %20 and reload the page I finally 
   end up to my "my/" page.

3) I didn't asked to login in s.nongnu.o!


FWIW, I'm using Netscape 4.77 which, AFAIK, uses given URLs as-is (I
know some other browsers fix broken URLs themselve, by quoting unsafe
characters).


Follow-up Comments
*******************

-------------------------------------------------------
Date: 2002-Nov-06 21:46             By: yeupou
This is weird. I do not understand why when you do not ask for login in 
sv.nongnu.org it tries to redirect you there.


But your "2) Spaces in the redircted URL aren't escaped (I suspect that
other "unsafe" characters listed in RFC 1738 aren't escaped either).
If I replace this space by %20 and reload the page I finally
end up to my "my/" page. " hit a bug previously listed. Unfortunately I do not 
have time to fix that directly.
This feature "log in also in nongnu.org" as been added in a hurry, but it 
obviously need to be rewritten, or heavily fixed. For now, I havent many ideas 
to improve it. I'll think about it and try to do something on Friday. Tomorrow, 
I'll be at university the most of the day.


CC list is empty


No files currently attached


For detailed info, follow this link:
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=1631&group_id=11
reply via email to
[Prev in Thread] Current Thread [Next in Thread]