aaronstephenson
commented
3 years ago This is a "medium" level vulnerability and must be remediated as soon as possible.
Closed aaronstephenson closed 3 years ago
aaronstephenson
commented
3 years ago This is a "medium" level vulnerability and must be remediated as soon as possible.
esmyers
commented
3 years ago Sigl Services updated and redeployed to accept POST See: https://github.com/USGS-WiM/SiGLServices/commit/09c80db687a47f3294d20629d0bdc7b432203b0f
SIGL DMS updated and redeployed to POST login creds. See: https://github.com/USGS-WiM/SiGLDMS/blob/cleanup/src/services/LaMPResource.js#L724
Acunetix scan reports this app contains a form with a password field. This form submits user data using the GET method, therefore the contents of the password field will appear in the URL. Sensitive information should not be passed via the URL. URLs could be logged or leaked via the Referer header.
The form is found in /SiGLDMS/component/logInOut/login.html
The remediation is to change the form such that the password field should be submitted through POST instead of GET.