- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Hello dear community, good afternoon:
Please your support: I tell you about an "X" vendor vulnerability scan tool, I detect the following vuln against the IP of the MGT WEB-GUI of the Firewall.
Problem,inconvenience, vulnerability against the WEB-GUI/MGT of the firewall directly:
Low TCP 443 Web Server Allows Password Auto-Completion:
The 'autocomplete' attribute is not disabled on password fields.
"The remote web server contains at least one HTML form field that has
an input of type 'password' where 'autocomplete' is not set to 'off'.
While this does not represent a risk to this web server per se, it
does mean that users who use the affected forms may have their
credentials saved in their browsers, which could in turn lead to a
Loss of confidentiality if any of them use a shared host or if their
machine is compromised at some point."
"Page : /php/login.php
Destination Page: /php/login.php
Does anyone know if this is correct or is it a false positive, and if correct, can someone tell me how to mitigate this vulnerability.
Thank you, greetings and attentive to your comments.
Well... it appears to be correct in so far as what it is testing for. Whether you really consider it a vulnerability is a matter of debate. The security concern would be the browser saving user credentials, but that is in the browser regardless what webpage you go to.
The PaloAlto in v9.1 appears to use a different method to try and block saving credentials in the webcode:
<input type="password" style="display:none"> <!-- Work around to disable password autofill from browser -->
<input type="password" maxlength="120" size="19" id="passwd" name="passwd" onkeypress="checkCapsLock(event);">
Other versions might use a different method. You could try submitting a feature request to PaloAlto to use the autocomplete= attribute, instead of their current method, in future releases. Though searching around it appears that the autocomplete= attribute is ignored by some browsers.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!