Cleartext password vulnerability

Naresh Ede asked on February 13, 2020 02:14

Hi all,

We have the below issue reported from our security team.

When we enter the username & password in CMS admin login form and submit, a POST request is sending to the CMSpages/Login.aspx page and if we see the request data in the network tab, we will see username & password in normal text format.

Is there any setting needs to be enabled to send the password in encrypted format instead of cleartext.

Also is this really a vulnerability as the passwords will be encrypted in server side anyway.

Thanks.

Recent Answers

Dat Nguyen answered on February 13, 2020 02:32

If you are using HTTPS, then the data that a client sends to the server is encrypted. If not, this is a vulnerability.

1 votesVote for this answer Mark as a Correct answer

Peter Cranston answered on February 14, 2020 14:33

As Dat says, as long as you have an SSL certificate configured and send the request over HTTPS then you will be fine. This is not just a Kentico issue, the same applies whenever you are sending or receiving sensitive data across the web.

In fact, many browsers these days will display a warning to the user if they are accessing a site over HTTP instead of HTTPS, so you would be best to enable HTTPS across the whole site and completely disable HTTP, unless you have a very good reason for keeping HTTP enabled.

1 votesVote for this answer Mark as a Correct answer

Naresh Ede answered on February 17, 2020 06:11

Thanks Dat & Peter, We have SSL enabled for the site. We are seeing the Username & password in the newtwork tab(refer screenshot) Image Text

Can you please tell me that exposing Username & password in network tab (as per above image) is a vulnarability or not.

Also, How can we test the credentials are encrypted or not while browsing with HTTPS?

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.