Forum OpenACS Development: Re: ad_get_login_url Is there a security bug?

Posted by Gustaf Neumann on
If I see this correctly (the raw dump, you posted is not easy to read) the following happened above:
1) the user went to the /pvt/home page
2) pressed "change your password"
3) after filling out the form, the login expired, and got redirected to the login page (/register) with this return_url, such that after the login, the change password will be executed.

In case of redirects, all parameters (GET and POST) are turned into query parameters, since the URL passed as "location:" header field is always used in a GET issued by the browser. So, whenever a password is filled into a form there is the possibility that it might be passed at some time as a query parameter, ... and might show up in logs, etc. Therefore it is for sites with sensitive data required to use HTTPS, and server logs have to be kept secure.

This is not new (see e.g. [1]), the principle applies potentially to all return_url handling in all packages.

There are ways improvement possible, it is not clear upfront how deep some collateral damage might be.

And yes, if one enters a password in client (browser) which is compromised, the password can be lost ... in such a case the query parameters of a redirect are the least concerns.