Bug 464047 - Password in Query or Cookie Data
Summary: Password in Query or Cookie Data
Status: RESOLVED WONTFIX
Alias: None
Product: Hudson
Classification: Technology
Component: Core (show other bugs)
Version: unspecified   Edit
Hardware: All Linux
: P3 normal (vote)
Target Milestone: ---   Edit
Assignee: Winston Prakash CLA
QA Contact: Geoff Waymark CLA
URL:
Whiteboard:
Keywords: security
Depends on:
Blocks:
 
Reported: 2015-04-07 09:17 EDT by Queenie Chow CLA
Modified: 2019-05-14 14:19 EDT (History)
4 users (show)

See Also:

Attachments
Firbug debug showing login submission as POST (53.92 KB, image/png)
2015-04-07 13:12 EDT, Winston Prakash CLA 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Queenie Chow CLA 2015-04-07 09:17:55 EDT 
We recently perform a security scan against our Hudson instance, from the scan report, we are flagged with an high issue for password management: Insecure Submission.  

When an user is logging to Hudson, the user password was found in the query string of a GET request or Set-Cookie Header.  The recommendation is to ensure that login information is sent with a POST request.  

Any chance on fixing that in the future version of Hudson?
Comment 1 Winston Prakash CLA 2015-04-07 13:11:35 EDT 
Can you please give more detail about

- Version of Hudson

- User directory (realm) setup (Hudson database, LDAP etc)
- Authorization scheme


I just did a quick check, both login mode Regular form submission and dialog jquery submission both use POST.

See attached image (Firbug debug)
Comment 2 Winston Prakash CLA 2015-04-07 13:12:40 EDT 
Created attachment 252206 [details]
Firbug debug showing login submission as POST
Comment 3 Wayne Beaton CLA 2019-05-14 14:19:45 EDT 
The Eclipse Hudson project has been terminated and archived.