Results 1 to 3 of 3
  1. #1
    Join Date
    Dec 2005
    Location
    Cincinnati Ohio
    Posts
    1,030
    Plugin Contributions
    13

    Default Autocomplete Failed (Certain Vendors)

    After some internal scanning via (root only) access as some vendors require white listed scanning ips etc.. Auto complete did not pass below is the scan results so throwing this in while the beta is open and fix the issue as banks and other major login firms have already disabled this feature as well.

    Scan Results on vendor

    Vendor 1: Level 2 Failure (Light Importance)
    Vendor 2: Level 3 Failure (High Importance)
    Vendor 3: Level 4 Failure (Severe Importance)

    Web Page Uses Cleartext HTTP Basic Authentication (Port 80)

    Poor authentication practices may leave the web application vulnerable to authentication attacks.

    Some web applications perform authentication by requiring a user to enter a login and password into an HTML form. This
    type of authentication is achieved using the HTML INPUT element with the type attribute set to password.

    There are several potential vulnerabilities associated with HTML form-based authentication:

    Authentication Credentials Prefilled. The password field is prefilled with a default value, possibly allowing universal access to the application being authenticated. Clear-text Form-based Authentication. The password is sent over the network
    unencrypted when a user submits the login form, thereby allowing an attacker who is capable of sniffing the network to view the password.

    Clear-text HTTP Basic Authentication The password is sent over the network unencrypted when a user authenticates to a protected web directory, thereby allowing an attacker who is capable of sniffing the network to view the password. Autocomplete Enabled.

    The form allows the browser's auto complete feature to automatically fill the password field with previously submitted values when a user begins entering a password. This feature could reveal one user's password to another user on the same computer.

    Additional information on the INPUT element is in the HTML 4.01 Specification, [http://www.w3.org/TR/1999/REC-html40...s.html#h-17.4] Section 17.4.

    For more information on HTTPS, see [http://searchsoftwarequality.techtar...14006,00.html]
    whatis.com.

    For more information on the autocomplete feature in HTML, see
    [http://www.htmlcodetutorial.com/form...COMPLETE.html] HTML Code Tutorial.

    Solution:
    To use HTML form-based authentication more securely in web applications, do the following:

    Remove the value attribute from the INPUT tag corresponding to the password field. Submit all forms to an SSL-enabled
    (https) service using the form's action attribute.

    Place all protected web directories on an SSL-enabled (https) service. Use the autocomplete="off" attribute in the INPUT tag corresponding to the password field.
    Even though we could not confirm Auto complete over SSL working but it does work over Non SSL sessions. Disabling this completely should solve the issue all together..
    Last edited by knuckle-101; 5 Aug 2011 at 12:51 AM.
    PCI Certified Web Hosting - ControlScan, Security Metrics (Platinum Partner), McAfee, TrustKeeper
    Business Class Web Hosting - Linux and cPanel Powered

  2. #2
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: Autocomplete Failed (Certain Vendors)

    Can you perhaps give some SPECIFICS? Like maybe which main_page= ? or better yet, which FIELD on the page?

    Last edited by DrByte; 5 Aug 2011 at 02:17 AM.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  3. #3
    Join Date
    Dec 2005
    Location
    Cincinnati Ohio
    Posts
    1,030
    Plugin Contributions
    13

    Default Re: Autocomplete Failed (Certain Vendors)

    Actually I did post the details which I found and determined the find but after checking back after your reply it seems the screenshot and the details did not post no clue but here it is again..


    Login Page:
    xxxxxxxxx.com/V.1.5.0.1/index.php?main_page=login

    Email and Password login Fields also the Form for New User Fields

    SSL Page:
    Same link as above only with Https: It allows autocomplete first time around if the login fails Autocomplete disables this could be cache or browser related.
    Attached Images Attached Images  
    PCI Certified Web Hosting - ControlScan, Security Metrics (Platinum Partner), McAfee, TrustKeeper
    Business Class Web Hosting - Linux and cPanel Powered

 

 

Similar Threads

  1. v151 Search Autocomplete?
    By thanhv in forum General Questions
    Replies: 0
    Last Post: 3 Apr 2013, 02:30 PM
  2. how to disable autocomplete on password fields?
    By nathanscrivener in forum General Questions
    Replies: 8
    Last Post: 1 Nov 2010, 09:29 AM
  3. How do I control autocomplete caching at field level?
    By CrazyCow in forum General Questions
    Replies: 2
    Last Post: 3 Aug 2008, 03:35 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR