This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

TCP 443 Web Server Allows Password Auto-Completion

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

TCP 443 Web Server Allows Password Auto-Completion

Metgatz
L4 Transporter

‎07-08-2022 10:22 AM

Hello dear community, good afternoon:

 

Please your support: I tell you about an "X" vendor vulnerability scan tool, I detect the following vuln against the IP of the MGT WEB-GUI of the Firewall.

Problem,inconvenience, vulnerability against the WEB-GUI/MGT of the firewall directly:

 

Details:
Low TCP 443 Web Server Allows Password Auto-Completion:
The 'autocomplete' attribute is not disabled on password fields.
"The remote web server contains at least one HTML form field that has
an input of type 'password' where 'autocomplete' is not set to 'off'.
While this does not represent a risk to this web server per se, it
does mean that users who use the affected forms may have their
credentials saved in their browsers, which could in turn lead to a
Loss of confidentiality if any of them use a shared host or if their
machine is compromised at some point."

"Page : /php/login.php
Destination Page: /php/login.php
"
******

Does anyone know if this is correct or is it a false positive, and if correct, can someone tell me how to mitigate this vulnerability.


Thank you, greetings and attentive to your comments.

High Sticker
0 Likes Likes
1 REPLY 1

Adrian_Jensen
L6 Presenter

‎07-08-2022 03:05 PM

Well... it appears to be correct in so far as what it is testing for. Whether you really consider it a vulnerability is a matter of debate. The security concern would be the browser saving user credentials, but that is in the browser regardless what webpage you go to.

 

The PaloAlto in v9.1 appears to use a different method to try and block saving credentials in the webcode:

<input type="password" style="display:none"> <!-- Work around to disable password autofill from browser -->
<input type="password" maxlength="120" size="19" id="passwd" name="passwd" onkeypress="checkCapsLock(event);">

Other versions might use a different method. You could try submitting a feature request to PaloAlto to use the autocomplete= attribute, instead of their current method, in future releases. Though searching around it appears that the autocomplete= attribute is ignored by some browsers.

0 Likes Likes
  • 8445 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks