Details
-
Bug
-
Resolution: Fixed
-
Low
-
5.1.3
-
None
-
5.01
-
2.6
-
Description
The "session expiry" and "XSRF token missing" pages will echo any submitted values. This may result in echoing the submitted password to the page in plain text if triggered on the WebSudo authentication page.
Modify the error pages (session_expired.jsp and xsrf_missing.jsp) so they don't echo parameters whose names contain password.
To reproduce, go to a wedsudo prompt, then log out in another tab, then submit the websudo form. Your password will be echoed back to you.
Attachments
Issue Links
- is duplicated by
-
JRASERVER-35005 Password displayed in clear text when logging in to a websudo session that has expired
- Closed
- mentioned in
-
Page Loading...