| VID |
21775 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Web server has a Web page using AutoComplete attribute containing password in an HTML form. HTML forms are a key component to exchanging information between a user and the server. Various Web browsers include an integrated feature called AutoComplete, which helps users quickly enter information into form fields. The AutoComplete in HTML forms safely stores information entered into INPUT text and INPUT password fields on the computer's hard drive. The next time that user visits a Web page and begins typing in a text field with the same name, the AutoComplete attribute prompts an AutoComplete box to appear, providing the user with a list of previously used data.
In many cases such as public computer (e.g., in a public library or in a computer lab at a university), older operating systems, and user failure to lock a computer when leaving, the password is available for use or theft.
* References:
http://msdn.microsoft.com/library/default.asp?url=/workshop/author/forms/autocomplete_ovr.asp
http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/reference/properties/autocomplete.asp
* Platforms Affected:
Any HTTP server Any version
Any operating system Any version |
| Recommendation |
By default, AUTOCOMPLETE is turned on. Make sure that use the AUTOCOMPLETE="OFF" option in any web form containing INPUT password fields.
E.g.)
<form action="login.php" method="GET" AUTOCOMPLETE="OFF">
<input type="password" name="password">Passwd<p>
<input type="Submit" name="submit">
</form>
To turn off AutoComplete completely on Microsoft Internet Explorer browser:
If you don't like seeing your user names, passwords, and other information sitting in drop-down windows, tell Windows to stop by doing this:
1. Open Internet Explorer.
2. Choose Internet Options from the Tools menu.
3. Click the Content tab.
4. Click the AutoComplete button.
5. Uncheck the option boxes named, 'Web addresses', 'Forms', and 'Usernames and passwords on forms'.
6. Click the Clear Forms button.
7. Click the Clear Passwords button.
8. Click OK. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
