Announcement

Collapse
No announcement yet.

Username and Password shows in query string

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Username and Password shows in query string

    Hi,
    We have an issue where the username and unencrypted password show in the query string after the user logs in, e.g.
    ?username=Locky&password=actual-password
    I've searched around but not found any answer to this yet. Can we encrypt the password?
    I'm a web developer working at Ninja Kiwi games!
    Ninja Kiwi

  • #2
    Also if we can encrypt it is there a way to get all users to reset their password on next login?
    I'm a web developer working at Ninja Kiwi games!
    Ninja Kiwi

    Comment


    • #3
      A user on my forum has seen this as well, at least twice, most recently, last week, but we've been unable to reproduce.

      He was using
      • Chrome 84.0.4147.105
      • 10.13.6 (OSX)
      • MacBook Air
      • VBulletin 5.6.2 PL 1
      • Standard, top of the page, Forum log in
      • Not using password manager.
      • Reported log-in was slow. Had slow connection of under 5 Mbps and "almost non-existent upload speeds" at the time.
      • Query string with username and password appeared in address bar when log in completed.
      AFAIK, it's not possible to log via URL query string. Forum configured per my Sig.
      VB 5.6.4
      PHP 7.4
      MySQL 5.7.24

      Comment


      • #4
        The software shouldn't use a query string for login. It may be a fallback if the AJAX login fails. JavaScript is required to use vBulletin. Blocking any Javascript at the client level can lead to weird behavior.

        To encrypt your site, you should be using a proper security certificate and HTTPS.
        Translations provided by Google.

        Wayne Luke
        The Rabid Badger - a vBulletin Cloud demonstration site.
        vBulletin 5 API

        Comment


        • OrganForum
          OrganForum commented
          Editing a comment
          In my user's case, javascript was not blocked, and the log-in eventually completed with the side effect of the credentials appearing in the query string. I suspect the Ajax call timed-out, but why this would cause the credentials to appear in the query string, when it is not possible to log in this way raises the question why this would be a fallback.

        • Wayne Luke
          Wayne Luke commented
          Editing a comment
          Well if the AJAX times out then a query string can be generated to do the same thing. It only appears that it happened after the login because the page doesn't always refresh when it gets data back from the server. I will have to discuss this with the developers to get specifics. However, this should only show to the user as it is their browser and any page load will remove it. When using HTTPS, all communication with the server itself is encrypted, including the plain text password the user types into the login fields.

      • #5
        Thanks for the replies. In my case javascript was not disabled. First we had some concerned user reports with screen shots - I can't confirm whether they had Javascript enabled or not.
        But I then logged in with Chrome (javascript enabled) and observed the username and password in the query string of the URL. I repeated this and saw the same thing.
        I thought the passwords in the database would be encrypted, so at least it would just show a hash if this did display?
        I'm a web developer working at Ninja Kiwi games!
        Ninja Kiwi

        Comment


        • #6
          Passwords in the database are hashed, not encrypted. Either using the Argon2id or Blowfish hashing algorithms.

          Passwords entered into a form field are plain text. To hash these in an appropriate manner within the browser, it would require additional software on the user's machine. At least as far as I know. Forms are encrypted when sent to the server when you use HTTPS. This is the recommended method. This allows the server to take the submitted password, hash it using the same parameters as the stored password and compare the two. This also allows the system to upgrade the user's password hash if their hash is stored in an older format such as the legacy vBulletin 4 MD5 hash or Blowfish when Argon2ID is available.

          I have been trying to recreate this in vBulletin 5.6.3 and cannot do so using the default login forum available in the upper right corner.
          Translations provided by Google.

          Wayne Luke
          The Rabid Badger - a vBulletin Cloud demonstration site.
          vBulletin 5 API

          Comment


          • #7
            Thanks Wayne - I am also on Mac OS as the other person with the same issue reported. Running the latest Chrome and we have the forums under https.
            I'm a web developer working at Ninja Kiwi games!
            Ninja Kiwi

            Comment


            • #8
              Ok, further to this it looks like login may actually be broken since we recently upgraded to 5.6.2 - I didn't notice because my account stays logged in. But if I log out login actually fails with no error but the username and password show in the URL I can login if I go to the AdminCP and then I'm logged in to the front end as well. But front end log in appears to be broken.
              I posted another issue in a seperate thread - Our registration form disappeared after upgrade as well and it was recommended I look at tools.php to rebuild- I have not done this yet as the password showing in the URL was more urgent, we're concerned the server logs would show a lot of usernames and passwords if anyone got hold of it.
              But I am wondering now if the two are related - login seems as if it may be broken, as well as the registration page disappearing, and if login is failing that could be why the password shows in the URL as was mentioned above.
              Is this a known issue - is there a way to rebuild the login flow as well as the Registration page?
              Thanks for your time
              Last edited by NinjaKiwi; Wed 19 Aug '20, 7:56pm.
              I'm a web developer working at Ninja Kiwi games!
              Ninja Kiwi

              Comment


              • #9
                Did you upgrade from a version before 5.6.0? The login functionality was refactored in 5.6.0 and works in a completely different method than before.

                If you edited your header module before upgrading to 5.6.2, please revert it. Does the login work properly after that? If you are using a module for login, make sure you're displaying the login_main template.
                Translations provided by Google.

                Wayne Luke
                The Rabid Badger - a vBulletin Cloud demonstration site.
                vBulletin 5 API

                Comment


                • #10
                  Hi Wayne,
                  I am still having the same problems mentioned before. I've just completed upgrade to 5.6.3 and the issues are the same.
                  The registration page is missing - I used tools.php to rebuild it, and when viewing the server via its IP address I could see a registration form. but it is not present on the live site.
                  Also login is broken, when you enter username and password login fails and the username and password are shown in the query string in the URL.
                  I reverted my header templates as advised but still no luck.
                  The forums are currently live https://forums.ninjakiwi.com/
                  I'm a web developer working at Ninja Kiwi games!
                  Ninja Kiwi

                  Comment


                  • #11
                    Does the same issue occur if you create a brand new style with no parent, and browse the site using that?
                    This creates a completely default style with no changes.
                    MARK.B | vBULLETIN SUPPORT

                    TalkNewsUK - My vBulletin 5.6.3 Demo
                    AdminAmmo - My Cloud Demo

                    Comment


                    • #12
                      What is the exact content of this Notice:

                      Welcome to the NK Forums!


                      These forums require you to create a new account (and activate it) as it does not use your ninjakiwi.com game account. It is recommended that you use the same name to register. Do not take someone else's name. New members will need 5 posts and 1 day before they can create a new topic. If you have a question and can't make a thread, use the General Questions Thread. Have fun, read the rules and enjoy the NK forums!
                      Translations provided by Google.

                      Wayne Luke
                      The Rabid Badger - a vBulletin Cloud demonstration site.
                      vBulletin 5 API

                      Comment


                      • #13
                        Hi Wayne, Hi Mark,
                        Thanks for your help.

                        Mark, I've created a new style and made it active - am still seeing the same issue - cannot login - username and password appear in URL query string. Register page does not display form. https://forums.ninjakiwi.com/

                        Wayne,
                        I've disabled all notices to see if that made any difference but unfortunately not. The notice you mentioned is not active anymore but the content was:
                        Code:
                        <b>Welcome to the NK Forums!</b>
                        <p>
                        <p>
                        These forums require you to create a new account (and activate it) as it does not use your ninjakiwi.com game account. It is recommended that you use the same name to register. Do not take someone else's name. New members will need 5 posts and 1 day before they can create a new topic.
                        
                        If you have a question and can't make a thread, use the <a href="https://forums.ninjakiwi.com/forum/main-forum/help-and-support/9283-general-questions-thread-and-ask-here-if-you-can-t-make-a-thread">General Questions Thread</a>.
                        
                        Have fun, <a href="https://forums.ninjakiwi.com/forum/main-forum/help-and-support/107-ninjakiwi-forum-rules">read the rules</a> and enjoy the NK forums!
                        I'm a web developer working at Ninja Kiwi games!
                        Ninja Kiwi

                        Comment


                        • #14
                          We will need a support ticket and access to the server. I have no idea why it is doing that.
                          Translations provided by Google.

                          Wayne Luke
                          The Rabid Badger - a vBulletin Cloud demonstration site.
                          vBulletin 5 API

                          Comment


                          • #15
                            Thanks Wayne - I was about to submit a ticket when I thought about Cloudflare. Have disabled some security settings and presto, it's actually working... Thanks so much for the patience guys.
                            I'm a web developer working at Ninja Kiwi games!
                            Ninja Kiwi

                            Comment

                            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                            Working...
                            X