U4-6624 - Sensitive form field has not disabled autocomplete

Created by Jeffrey Schoemaker 15 May 2015, 07:43:16 Updated by Sebastiaan Janssen 15 May 2018, 07:09:46

Relates to: U4-11321

Whenever we execute a vulnerability scan on an Umbraco 7 website we get the following vulnerability error on the file /umbraco/views/common/dialogs/login.html:

Sensitive form field has not disabled autocomplete OWASP: A5 Security Misconfiguration [https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration]

Details

'''Threat''' An HTML form that collects sensitive information (such as a password field) does not prevent the browser from prompting the user to save the populated values for late reuse. Stored credentials should not be available to anyone but their owner.

'''Impact''' If the browser is used in a shared computing environment where more than one person may use the browser, then "autocomplete" values may be submitted by an unauthorized user. For example, if a browser saves the login name and password for a form, then anyone with access to the browser may submit the form and authenticate to the site without having to know the victim's password.

'''Solution''' Add the following attribute to the form or input element: autocomplete="off" This attribute prevents the browser from prompting the user to save the populated form values for later reuse.

I did some research and turning autocomplete off won't break password managers like LastPass.

Comments

Jeffrey Schoemaker 15 May 2015, 07:50:48

The fix: https://github.com/umbraco/Umbraco-CMS/pull/689/files


Priority: Normal

Type: Bug

State: Fixed

Assignee:

Difficulty: Normal

Category:

Backwards Compatible: True

Fix Submitted: Pull request

Affected versions: 7.1.1, 7.2.0, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5

Due in version: 7.3.0

Sprint:

Story Points:

Cycle: