based on the 3rd party security test result

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

Please do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.

This forum is for discussing mojoPortal development

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

You can monitor commits to the repository from this page. We also recommend developers to subscribe to email notifications in the developer forum as occasionally important things are announced.

Before posting questions here you might want to review the developer documentation.

Do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.
This thread is closed to new posts. You must sign in to post in the forums.
4/23/2013 6:09:15 AM
kiranb
Gravatar
Total Posts 5
View Posts

based on the 3rd party security test result

Hi Joe,

During a third party security test on our mojoPortal site they have come up with the following issue.

A local adversary can steal passwords from the Autocomplete feature of the browser

Browsers have a feature to remember the recently typed web addresses, web form entries, usernames and passwords.
When a user starts typing, the browser suggests possible matches. This feature is known as "Autocomplete" in IE
and "Remember Passwords" in Firefox. If a browser is configured for "Autocomplete settings/Remember Passwords" to remember
the username and password, then every time a user logs in to the application, the browser asks the user to remember
the password. If the user had accidentally or intentionally clicked "Yes", then a local adversary can log in with the
"remembered" password of the previous user.
The browser also stores the saved password either as cleartext or in a form that is easily reversible by an adversary.

We need to fix this to get PCI Certification. Is there any way to fix this?

Thanks

4/23/2013 7:42:44 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: based on the 3rd party security test result

Hi,

I will add a web.config setting for the next release of mojoPortal so you will be able to add this in user.config:

<add key="DisableAutoCompleteOnLogin" value="true"/>

You can go ahead and add it now so it will be in place after the next upgrade. The default setting will remain false.

Then to solve the problem immediately, you can edit the file /Controls/LoginControl.ascx

​Look for the <asp:TextBox id="UserName" ... and <asp:TextBox id="Password"

add the attribute AutoCompleteType="disabled" on both of them.

That should do it.

However note that older web browsers before html 5 do not support this attribute except for IE, it was a proprietary IE feature until html 5. So it should work in modern browsers but may not work in older non IE browsers.

Hope that helps,

Joe

4/24/2013 5:19:14 AM
kiranb
Gravatar
Total Posts 5
View Posts

Re: based on the 3rd party security test result

Hi Joe,

Thanks for the information Joe!  Very helpful to know!  And we bought you some beerssmiley.

Thanks

4/24/2013 10:14:44 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: based on the 3rd party security test result

Glad I was able to help. Many thanks for the beers! They are very appreciated.

Cheers,

Joe

You must sign in to post in the forums. This thread is closed to new posts.