DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=38383>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38383 Summary: Login page should use POST method instead of GET Product: Lenya Version: 1.2.4 Platform: All OS/Version: All Status: NEW Severity: critical Priority: P1 Component: Access Control AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] The login page for Lenya 1.2.4 (and I think 1.4 as well) uses a GET instead of a POST, which causes user passwords to be exposed in clear text in the web access log files. The solution is to change login.xsl from this: <form method="get"> <input type="hidden" name="lenya.usecase" value="login" /> <input type="hidden" name="lenya.step" value="login" /> to this: <form method="post" action="?lenya.usecase=login&lenya.step=login"> I'll attach a patch shortly... -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
