https://live.paloaltonetworks.com/t5/general-topics/tcp-443-web-server-allows-password-auto-completion/m-p/508348#M105849 <P>Hello dear community, good afternoon:</P> <P>&nbsp;</P> <P>Please your support: I tell you about an "X" vendor vulnerability scan tool, I detect the following vuln against the IP of the MGT WEB-GUI of the Firewall.</P> <P>Problem,inconvenience, vulnerability against the WEB-GUI/MGT of the firewall directly:</P> <P>&nbsp;</P> <P>Details:<BR />Low TCP 443 Web Server Allows Password Auto-Completion:<BR />The 'autocomplete' attribute is not disabled on password fields.<BR />"The remote web server contains at least one HTML form field that has<BR />an input of type 'password' where 'autocomplete' is not set to 'off'.<BR />While this does not represent a risk to this web server per se, it<BR />does mean that users who use the affected forms may have their<BR />credentials saved in their browsers, which could in turn lead to a<BR />Loss of confidentiality if any of them use a shared host or if their<BR />machine is compromised at some point."</P> <P>"Page : /php/login.php<BR />Destination Page: /php/login.php<BR />"<BR />******</P> <P>Does anyone know if this is correct or is it a false positive, and if correct, can someone tell me how to mitigate this vulnerability.</P> <P><BR />Thank you, greetings and attentive to your comments.</P> Fri, 08 Jul 2022 17:22:12 GMT Metgatz 2022-07-08T17:22:12Z https://live.paloaltonetworks.com/t5/general-topics/tcp-443-web-server-allows-password-auto-completion/m-p/508348#M105849 <P>Hello dear community, good afternoon:</P> <P>&nbsp;</P> <P>Please your support: I tell you about an "X" vendor vulnerability scan tool, I detect the following vuln against the IP of the MGT WEB-GUI of the Firewall.</P> <P>Problem,inconvenience, vulnerability against the WEB-GUI/MGT of the firewall directly:</P> <P>&nbsp;</P> <P>Details:<BR />Low TCP 443 Web Server Allows Password Auto-Completion:<BR />The 'autocomplete' attribute is not disabled on password fields.<BR />"The remote web server contains at least one HTML form field that has<BR />an input of type 'password' where 'autocomplete' is not set to 'off'.<BR />While this does not represent a risk to this web server per se, it<BR />does mean that users who use the affected forms may have their<BR />credentials saved in their browsers, which could in turn lead to a<BR />Loss of confidentiality if any of them use a shared host or if their<BR />machine is compromised at some point."</P> <P>"Page : /php/login.php<BR />Destination Page: /php/login.php<BR />"<BR />******</P> <P>Does anyone know if this is correct or is it a false positive, and if correct, can someone tell me how to mitigate this vulnerability.</P> <P><BR />Thank you, greetings and attentive to your comments.</P> Fri, 08 Jul 2022 17:22:12 GMT https://live.paloaltonetworks.com/t5/general-topics/tcp-443-web-server-allows-password-auto-completion/m-p/508348#M105849 Metgatz 2022-07-08T17:22:12Z https://live.paloaltonetworks.com/t5/general-topics/tcp-443-web-server-allows-password-auto-completion/m-p/508382#M105858 <P>Well... it appears to be correct in so far as what it is testing for. Whether you really consider it a vulnerability is a matter of debate. The security concern would be the browser saving user credentials, but that is in the browser regardless what webpage you go to.</P> <P>&nbsp;</P> <P>The PaloAlto in v9.1 appears to use a different method to try and block saving credentials in the webcode:</P> <BLOCKQUOTE><HR />&lt;input type="password" style="display:none"&gt; &lt;!-- Work around to disable password autofill from browser --&gt;<BR />&lt;input type="password" maxlength="120" size="19" id="passwd" name="passwd" onkeypress="checkCapsLock(event);"&gt;<BR /><HR /></BLOCKQUOTE> <P>Other versions might use a different method. You could try submitting a feature request to PaloAlto to use the autocomplete= attribute, instead of their current method, in future releases. Though searching around it appears that the autocomplete= attribute is ignored by some browsers.</P> Fri, 08 Jul 2022 22:05:57 GMT https://live.paloaltonetworks.com/t5/general-topics/tcp-443-web-server-allows-password-auto-completion/m-p/508382#M105858 Adrian_Jensen 2022-07-08T22:05:57Z