Quantcast

[Django] #28225: Credentials of the Admin login form are stored browser due autocomplete was enabled by default.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Django] #28225: Credentials of the Admin login form are stored browser due autocomplete was enabled by default.

Django
#28225: Credentials of the Admin login form are stored browser due autocomplete was
enabled by default.
-----------------------------------------+------------------------
               Reporter:  xkill          |          Owner:  nobody
                   Type:  Uncategorized  |         Status:  new
              Component:  contrib.admin  |        Version:  1.11
               Severity:  Normal         |       Keywords:
           Triage Stage:  Unreviewed     |      Has patch:  0
    Needs documentation:  0              |    Needs tests:  0
Patch needs improvement:  0              |  Easy pickings:  0
                  UI/UX:  0              |
-----------------------------------------+------------------------
 The credentials are stored on browser cache.

 It is a security issue or vulnerability

 CVSS 2 = 1.9 (AV:L/AC:M/Au:N/C:P/I:N/A:N)

 A variable on the configuration of the django application can be set to
 enable or disable autocompletion on the login form of the admin interface.

--
Ticket URL: <https://code.djangoproject.com/ticket/28225>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/048.e19bfb0d47a5a27be8fdd62f055efa52%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Django] #28225: Credentials of the Admin login form are stored browser due autocomplete was enabled by default.

Django
#28225: Credentials of the Admin login form are stored browser due autocomplete was
enabled by default.
--------------------------------+--------------------------------------
     Reporter:  Pablo Catalina  |                    Owner:  nobody
         Type:  Uncategorized   |                   Status:  closed
    Component:  contrib.admin   |                  Version:  1.11
     Severity:  Normal          |               Resolution:  invalid
     Keywords:                  |             Triage Stage:  Unreviewed
    Has patch:  0               |      Needs documentation:  0
  Needs tests:  0               |  Patch needs improvement:  0
Easy pickings:  0               |                    UI/UX:  0
--------------------------------+--------------------------------------
Changes (by Tim Graham):

 * status:  new => closed
 * resolution:   => invalid


Comment:

 I don't believe that browsers storing login credentials is a security
 issue. By the way, security issues should be
 [https://docs.djangoproject.com/en/dev/internals/security/#reporting-
 security-issues reported to the security team] rather than in this ticket
 tracker.

--
Ticket URL: <https://code.djangoproject.com/ticket/28225#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/063.787b32635ed1c21b0a88df47b0b2d918%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Loading...