[Django] #28225: Credentials of the Admin login form are stored browser due autocomplete was enabled by default.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[Django] #28225: Credentials of the Admin login form are stored browser due autocomplete was enabled by default.

Django
#28225: Credentials of the Admin login form are stored browser due autocomplete was
enabled by default.
-----------------------------------------+------------------------
               Reporter:  xkill          |          Owner:  nobody
                   Type:  Uncategorized  |         Status:  new
              Component:  contrib.admin  |        Version:  1.11
               Severity:  Normal         |       Keywords:
           Triage Stage:  Unreviewed     |      Has patch:  0
    Needs documentation:  0              |    Needs tests:  0
Patch needs improvement:  0              |  Easy pickings:  0
                  UI/UX:  0              |
-----------------------------------------+------------------------
 The credentials are stored on browser cache.

 It is a security issue or vulnerability

 CVSS 2 = 1.9 (AV:L/AC:M/Au:N/C:P/I:N/A:N)

 A variable on the configuration of the django application can be set to
 enable or disable autocompletion on the login form of the admin interface.

--
Ticket URL: <https://code.djangoproject.com/ticket/28225>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/048.e19bfb0d47a5a27be8fdd62f055efa52%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28225: Credentials of the Admin login form are stored browser due autocomplete was enabled by default.

Django
#28225: Credentials of the Admin login form are stored browser due autocomplete was
enabled by default.
--------------------------------+--------------------------------------
     Reporter:  Pablo Catalina  |                    Owner:  nobody
         Type:  Uncategorized   |                   Status:  closed
    Component:  contrib.admin   |                  Version:  1.11
     Severity:  Normal          |               Resolution:  invalid
     Keywords:                  |             Triage Stage:  Unreviewed
    Has patch:  0               |      Needs documentation:  0
  Needs tests:  0               |  Patch needs improvement:  0
Easy pickings:  0               |                    UI/UX:  0
--------------------------------+--------------------------------------
Changes (by Tim Graham):

 * status:  new => closed
 * resolution:   => invalid


Comment:

 I don't believe that browsers storing login credentials is a security
 issue. By the way, security issues should be
 [https://docs.djangoproject.com/en/dev/internals/security/#reporting-
 security-issues reported to the security team] rather than in this ticket
 tracker.

--
Ticket URL: <https://code.djangoproject.com/ticket/28225#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/063.787b32635ed1c21b0a88df47b0b2d918%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28225: Credentials of the Admin login form are stored browser due autocomplete was enabled by default.

Django
In reply to this post by Django
#28225: Credentials of the Admin login form are stored browser due autocomplete was
enabled by default.
--------------------------------+--------------------------------------
     Reporter:  Pablo Catalina  |                    Owner:  nobody
         Type:  Uncategorized   |                   Status:  closed
    Component:  contrib.admin   |                  Version:  1.11
     Severity:  Normal          |               Resolution:  invalid
     Keywords:                  |             Triage Stage:  Unreviewed
    Has patch:  0               |      Needs documentation:  0
  Needs tests:  0               |  Patch needs improvement:  0
Easy pickings:  0               |                    UI/UX:  0
--------------------------------+--------------------------------------

Comment (by Tim Graham):

 In fact this issue has been reported several times to the security team.
 Here's the team's response:

 We intentionally leave autocomplete enabled as we believe that all modern
 browsers now handle local form completion in a reasonably sane manner.
 Autocomplete enables individuals to use stronger passwords and makes them
 less susceptible to phishing attacks. These benefits greatly outweigh the
 minor risk here. If you disagree, we encourage you to also read this post:
 http://blog.0xbadc0de.be/archives/124

--
Ticket URL: <https://code.djangoproject.com/ticket/28225#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/063.a5d132e6d0b914b8c2edb4fee10cdfdb%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.