TCP 443 Web Server Allows Password Auto-Completion

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

TCP 443 Web Server Allows Password Auto-Completion

L4 Transporter

Hello dear community, good afternoon:

 

Please your support: I tell you about an "X" vendor vulnerability scan tool, I detect the following vuln against the IP of the MGT WEB-GUI of the Firewall.

Problem,inconvenience, vulnerability against the WEB-GUI/MGT of the firewall directly:

 

Details:
Low TCP 443 Web Server Allows Password Auto-Completion:
The 'autocomplete' attribute is not disabled on password fields.
"The remote web server contains at least one HTML form field that has
an input of type 'password' where 'autocomplete' is not set to 'off'.
While this does not represent a risk to this web server per se, it
does mean that users who use the affected forms may have their
credentials saved in their browsers, which could in turn lead to a
Loss of confidentiality if any of them use a shared host or if their
machine is compromised at some point."

"Page : /php/login.php
Destination Page: /php/login.php
"
******

Does anyone know if this is correct or is it a false positive, and if correct, can someone tell me how to mitigate this vulnerability.


Thank you, greetings and attentive to your comments.

High Sticker
1 REPLY 1

L6 Presenter

Well... it appears to be correct in so far as what it is testing for. Whether you really consider it a vulnerability is a matter of debate. The security concern would be the browser saving user credentials, but that is in the browser regardless what webpage you go to.

 

The PaloAlto in v9.1 appears to use a different method to try and block saving credentials in the webcode:


<input type="password" style="display:none"> <!-- Work around to disable password autofill from browser -->
<input type="password" maxlength="120" size="19" id="passwd" name="passwd" onkeypress="checkCapsLock(event);">

Other versions might use a different method. You could try submitting a feature request to PaloAlto to use the autocomplete= attribute, instead of their current method, in future releases. Though searching around it appears that the autocomplete= attribute is ignored by some browsers.

  • 6017 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!