Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#28225 closed Uncategorized (invalid)

Credentials of the Admin login form are stored browser due autocomplete was enabled by default.

Reported by: Pablo Catalina Owned by: nobody
Component: contrib.admin Version: 1.11
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The credentials are stored on browser cache.

It is a security issue or vulnerability

CVSS 2 = 1.9 (AV:L/AC:M/Au:N/C:P/I:N/A:N)

A variable on the configuration of the django application can be set to enable or disable autocompletion on the login form of the admin interface.

Change History (2)

comment:1 by Tim Graham, 7 years ago

Resolution: invalid
Status: newclosed

I don't believe that browsers storing login credentials is a security issue. By the way, security issues should be reported to the security team rather than in this ticket tracker.

comment:2 by Tim Graham, 7 years ago

In fact this issue has been reported several times to the security team. Here's the team's response:

We intentionally leave autocomplete enabled as we believe that all modern browsers now handle local form completion in a reasonably sane manner. Autocomplete enables individuals to use stronger passwords and makes them less susceptible to phishing attacks. These benefits greatly outweigh the minor risk here. If you disagree, we encourage you to also read this post: http://blog.0xbadc0de.be/archives/124

Note: See TracTickets for help on using tickets.
Back to Top