Announcement

Collapse
No announcement yet.

Username and Password shows in query string

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    I saw this issue on my site recently using Brave Browser with scripts disabled and the URL was populated with login details!

    Was shocked, even if JavaScript is disabled, why can’t vb use the POST method for login form submission. GET is not recommended for submitting sensitive form data.

    Comment


    • OrganForum
      OrganForum commented
      Editing a comment
      It doesn't appear possible to log in with the query string, so how and why the credentials wind up there is the question. The user who experienced this on my site was having connectivity problems at the time, so the problem appears to be the AJAX call failing.

    • Wayne Luke
      Wayne Luke commented
      Editing a comment
      It doesn't send anything to the server if Javascript is turned off. Not even a Get query. The vBulletin API doesn't even support Get requests. The web client is a Javascript-powered web app. Javascript is required for it to function.

    • Wayne Luke
      Wayne Luke commented
      Editing a comment
      It doesn't appear possible to log in with the query string, so how and why the credentials wind up there is the question. The user who experienced this on my site was having connectivity problems at the time, so the problem appears to be the AJAX call failing.
      See my last post in this topic.

  • #17
    Agree webcms, It would be great if the vBulletin team could look at this.
    Our problem is resolved now that the login is working correctly it doesn't show up. But if something was to break again the same thing will happen.
    After fixing the issue today I went through the server logs and there were hundreds of instances of failed login with the username and password recorded - if someone got hold of our logs there would be so many accounts compromised.
    If anyone else has been through this remember to delete your server logs after fixing.
    I'm a web developer working at Ninja Kiwi games!
    Ninja Kiwi

    Comment


    • #18
      I will ask the developers to look at it but it may be the browser's doing and we won't have control if Javascript is disabled in anyway.

      I think the best we can do is tell users not to submit the form if Javascript is disabled via the NOSCRIPT tag.
      Last edited by Wayne Luke; Tue 1 Sep '20, 9:35am.
      Translations provided by Google.

      Wayne Luke
      The Rabid Badger - a vBulletin Cloud demonstration site.
      vBulletin 5 API

      Comment


      • OrganForum
        OrganForum commented
        Editing a comment
        Note that NOSCRIPT will not address the problem if javascript is enabled and the AJAX call fails. That's what happened to my user. Timeouts or other errors that might result from a failed script submission need to be handled as well.

    • #19
      I've created this issue: https://tracker.vbulletin.com/vbulle...sues/VBV-20522
      Translations provided by Google.

      Wayne Luke
      The Rabid Badger - a vBulletin Cloud demonstration site.
      vBulletin 5 API

      Comment


      • #20
        If you edit the login_main template and change:

        <form action="" class="h-clearfix js-login-form-main ">

        To:

        <form action="" method="post" class="h-clearfix js-login-form-main ">

        It will prevent the user information from being shown. However it won't log them in.
        Translations provided by Google.

        Wayne Luke
        The Rabid Badger - a vBulletin Cloud demonstration site.
        vBulletin 5 API

        Comment

        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
        Working...
        X