Password field with autocomplete enabled
Description
Acceptance / Success Criteria
Attachments
- 10 Dec 2021, 06:23 AM
related to
Confluence content
Lucidchart Diagrams
Activity
Jeff Gehlbach February 10, 2022 at 4:31 PM
@Gerald Humphries yep, that's the one; thanks, and good sleuthing! Let's link https://opennms.atlassian.net/browse/NMS-12146#icft=NMS-12146 to this issue, perhaps as a "depends on".
Gerald Humphries February 10, 2022 at 3:05 PM
@Jeff Gehlbach I think this is it: https://issues.opennms.org/browse/NMS-12146
Making the asset passwords non-autocomplete should fix that issue.
Jeff Gehlbach February 10, 2022 at 2:55 PM
Help > Support, commercial support login: Should not autocomplete. Also, this flow no longer works, and should be removed for the time being (we need a separate issue for this)
Configure users: Should not autocomplete.
Asset fields marked as passwords: Should not autocomplete. There is a community-reported issue that should be linked to this context; I tried to track it down but failed with a quick search.
Gerald Humphries February 8, 2022 at 3:42 AM
I have some questions about the requirements for specific fields:
Help > Support in the header will show a login form for Commercial Support. This looks like a separate set of credentials from the main login. Should this form use autocomplete, and should its autocomplete be separate from the main login if possible?
Configuring users in the admin menu allows an admin user to set other user's passwords. Should password autocomplete be disabled here, like mentioned in the comment above?
The "Asset" form that's accessible in Node information > Asset Info can show password fields. Should autocomplete be enabled or disabled here?
Gerald Humphries February 8, 2022 at 3:28 AM
There are several kinds of password fields throughout the application where we might not want to autocomplete.
For example, we may not want to save/autocomplete credentials when managing another user's password.
[From MDN|https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#preventing_autofilling_with_autocompletenew-password], these kinds of fields can have autocomplete turned off with autocomplete="new-password"
If you are defining a user management page where a user can specify a new password for another person, and therefore you want to prevent autofilling of password fields, you can use
autocomplete="new-password".
Details
Assignee
Gerald HumphriesGerald HumphriesReporter
Gaurav PandeGaurav PandeLabels
HB Grooming Date
Dec 14, 2021HB Backlog Status
NBSprint
NoneAffects versions
Priority
Low
Details
Details
Assignee
Reporter
Labels
HB Grooming Date
HB Backlog Status
Sprint
Affects versions
Priority
LowPagerDuty
PagerDuty Incident
PagerDuty
PagerDuty Incident
PagerDuty
Vulnerability Description: Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications that employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.
Evidence: Following instances of this issue were identified, at the following locations:
/opennms/account/selfService/newPasswordEntry
/opennms/admin/userGroupView/users/newUser.jsp
/opennms/login.jsp
/opennms/login.jsp;jsessionid=node0195bty4d669od38s4yghr8p1t54869.node0
/opennms/support/index.htm
Evidence: Following instances of this issue were identified, at the following locations:
/opennms/account/selfService/newPasswordEntry
/opennms/admin/userGroupView/users/newUser.jsp
/opennms/login.jsp
/opennms/login.jsp;jsessionid=node0195bty4d669od38s4yghr8p1t54869.node0
/opennms/support/index.htm
Impact: The stored credentials can be captured by an attacker who gains control over the user's computer. Further, an attacker who finds a separate application vulnerability such as cross-site scripting may be able to exploit this to retrieve a user's browser-stored credentials.