Plain text password in cookies

EDRN / labcas-ui

User Interface for the Laboratory Catalog and Archive Service (LabCAS)

Apache License 2.0

0 stars 0 forks source link

Plain text password in cookies #206

Open nutjob4life opened 1 month ago

nutjob4life commented 1 month ago

👮 Describe the Vulnerability

The image below shows us attempting to log into https://edrn-labcas.jpl.nasa.gov/labcas-ui/index.html?version=3.0.0 and the tool showing the request that contains the plaintext user and password. The only steps taken were:

Navigating to https://edrn-labcas.jpl.nasa.gov/labcas-ui/index.html?version=3.0.0
Entering test credentials
Upon pressing the Login button, the request will be sent and shown

nutjob4life commented 1 month ago

@yuliujpl when this is fixed, please let the following know:

Rojeh Yaghoobi
Susan Neely
Mary Rivera
Robert Solorio

yuliujpl commented 1 month ago

@nutjob4life @hoodriverheather issue resolved in edrn-labcas. Ran a few selenium tests and they worked fine! Hopefully the security tests will return success!

nutjob4life commented 4 weeks ago

@yuliujpl excelsior! 🎉

Once the folks mention in this comment concur, we can close this issue. What a relief! 😌