#18176: Firefox prepopulates root password into luci form fields inappropriately
------------------------+-----------------------------------
Reporter: askalski@… | Owner:
Type: defect | Status: new
Priority: high | Milestone:
Component: luci | Version: Barrier Breaker 14.07
Keywords: security |
------------------------+-----------------------------------
Whenever you log into a web site such as OpenWRT's luci configuration
page, Firefox offers to remember your username/password. This is
convenient, especially if you are doing a lot of configuration work on
your router.
However, because many form fields within luci (unrelated to the router
login page) are also named "username" and "password", they get pre-
populated with the root username and password. This comporomises
security, because it can result in the router credentials being
transmitted in the clear over the Internet.
Two examples of pages with "username" and "password" fields that get
populated. Both involve scripts which transmit their credentials over
plaintext HTTP:
* /admin/network/network/wan6 (select the "IPv6-in-IPv4" protocol, and
enable the "HE.net dynamic endpoint update" checkbox
* /admin/services/ddns (install the luci-app-ddns package, then use luci
to blank out the ddns username/password fields and click "Save"; the form
fields will be repopulated with the root credentials)
--
Ticket URL: <https://dev.openwrt.org/ticket/18176>
OpenWrt <http://openwrt.org>
Opensource Wireless Router Technology
_______________________________________________
openwrt-tickets mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-tickets
