Announcement

Collapse
No announcement yet.

Username and Password shows in query string

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Wayne Luke
    commented on 's reply
    It doesn't appear possible to log in with the query string, so how and why the credentials wind up there is the question. The user who experienced this on my site was having connectivity problems at the time, so the problem appears to be the AJAX call failing.
    See my last post in this topic.

  • OrganForum
    commented on 's reply
    Note that NOSCRIPT will not address the problem if javascript is enabled and the AJAX call fails. That's what happened to my user. Timeouts or other errors that might result from a failed script submission need to be handled as well.

  • Wayne Luke
    replied
    If you edit the login_main template and change:

    <form action="" class="h-clearfix js-login-form-main ">

    To:

    <form action="" method="post" class="h-clearfix js-login-form-main ">

    It will prevent the user information from being shown. However it won't log them in.

    Leave a comment:


  • Wayne Luke
    replied
    I've created this issue: https://tracker.vbulletin.com/vbulle...sues/VBV-20522

    Leave a comment:


  • Wayne Luke
    replied
    I will ask the developers to look at it but it may be the browser's doing and we won't have control if Javascript is disabled in anyway.

    I think the best we can do is tell users not to submit the form if Javascript is disabled via the NOSCRIPT tag.
    Last edited by Wayne Luke; Tue 1 Sep '20, 9:35am.

    Leave a comment:


  • Wayne Luke
    commented on 's reply
    It doesn't send anything to the server if Javascript is turned off. Not even a Get query. The vBulletin API doesn't even support Get requests. The web client is a Javascript-powered web app. Javascript is required for it to function.

  • OrganForum
    commented on 's reply
    It doesn't appear possible to log in with the query string, so how and why the credentials wind up there is the question. The user who experienced this on my site was having connectivity problems at the time, so the problem appears to be the AJAX call failing.

  • NinjaKiwi
    replied
    Agree webcms, It would be great if the vBulletin team could look at this.
    Our problem is resolved now that the login is working correctly it doesn't show up. But if something was to break again the same thing will happen.
    After fixing the issue today I went through the server logs and there were hundreds of instances of failed login with the username and password recorded - if someone got hold of our logs there would be so many accounts compromised.
    If anyone else has been through this remember to delete your server logs after fixing.

    Leave a comment:


  • webcms
    replied
    I saw this issue on my site recently using Brave Browser with scripts disabled and the URL was populated with login details!

    Was shocked, even if JavaScript is disabled, why can’t vb use the POST method for login form submission. GET is not recommended for submitting sensitive form data.

    Leave a comment:


  • NinjaKiwi
    replied
    Thanks Wayne - I was about to submit a ticket when I thought about Cloudflare. Have disabled some security settings and presto, it's actually working... Thanks so much for the patience guys.

    Leave a comment:


  • Wayne Luke
    replied
    We will need a support ticket and access to the server. I have no idea why it is doing that.

    Leave a comment:


  • NinjaKiwi
    replied
    Hi Wayne, Hi Mark,
    Thanks for your help.

    Mark, I've created a new style and made it active - am still seeing the same issue - cannot login - username and password appear in URL query string. Register page does not display form. https://forums.ninjakiwi.com/

    Wayne,
    I've disabled all notices to see if that made any difference but unfortunately not. The notice you mentioned is not active anymore but the content was:
    Code:
    <b>Welcome to the NK Forums!</b>
    <p>
    <p>
    These forums require you to create a new account (and activate it) as it does not use your ninjakiwi.com game account. It is recommended that you use the same name to register. Do not take someone else's name. New members will need 5 posts and 1 day before they can create a new topic.
    
    If you have a question and can't make a thread, use the <a href="https://forums.ninjakiwi.com/forum/main-forum/help-and-support/9283-general-questions-thread-and-ask-here-if-you-can-t-make-a-thread">General Questions Thread</a>.
    
    Have fun, <a href="https://forums.ninjakiwi.com/forum/main-forum/help-and-support/107-ninjakiwi-forum-rules">read the rules</a> and enjoy the NK forums!

    Leave a comment:


  • Wayne Luke
    replied
    What is the exact content of this Notice:

    Welcome to the NK Forums!


    These forums require you to create a new account (and activate it) as it does not use your ninjakiwi.com game account. It is recommended that you use the same name to register. Do not take someone else's name. New members will need 5 posts and 1 day before they can create a new topic. If you have a question and can't make a thread, use the General Questions Thread. Have fun, read the rules and enjoy the NK forums!

    Leave a comment:


  • Mark.B
    replied
    Does the same issue occur if you create a brand new style with no parent, and browse the site using that?
    This creates a completely default style with no changes.

    Leave a comment:


  • NinjaKiwi
    replied
    Hi Wayne,
    I am still having the same problems mentioned before. I've just completed upgrade to 5.6.3 and the issues are the same.
    The registration page is missing - I used tools.php to rebuild it, and when viewing the server via its IP address I could see a registration form. but it is not present on the live site.
    Also login is broken, when you enter username and password login fails and the username and password are shown in the query string in the URL.
    I reverted my header templates as advised but still no luck.
    The forums are currently live https://forums.ninjakiwi.com/

    Leave a comment:

Related Topics

Collapse

Working...
X