Announcement

**webcms** · Mon 31 Aug '20, 4:51pm

I saw this issue on my site recently using Brave Browser with scripts disabled and the URL was populated with login details!

Was shocked, even if JavaScript is disabled, why can’t vb use the POST method for login form submission. GET is not recommended for submitting sensitive form data.

**NinjaKiwi** · Mon 31 Aug '20, 8:35pm

Agree webcms, It would be great if the vBulletin team could look at this.
Our problem is resolved now that the login is working correctly it doesn't show up. But if something was to break again the same thing will happen.
After fixing the issue today I went through the server logs and there were hundreds of instances of failed login with the username and password recorded - if someone got hold of our logs there would be so many accounts compromised.
If anyone else has been through this remember to delete your server logs after fixing.

**Wayne Luke** · Tue 1 Sep '20, 9:23am

I will ask the developers to look at it but it may be the browser's doing and we won't have control if Javascript is disabled in anyway.

I think the best we can do is tell users not to submit the form if Javascript is disabled via the NOSCRIPT tag.

**Wayne Luke** · Tue 1 Sep '20, 9:56am

I've created this issue: https://tracker.vbulletin.com/vbulle...sues/VBV-20522

**Wayne Luke** · Tue 1 Sep '20, 11:17am

If you edit the login_main template and change:

<form action="" class="h-clearfix js-login-form-main ">

To:

<form action="" method="post" class="h-clearfix js-login-form-main ">

It will prevent the user information from being shown. However it won't log them in.

Announcement

Username and Password shows in query string

Comment

Comment

Comment

Comment

Comment

Related Topics