New Question
0

Security issue: freeRDP proxy has passwords in browser history

asked 2015-07-09 16:11:32 +0300

webnew gravatar image

Using the proxy login for HTML5 access all parameters are send within the URL, also user name and password. The form is using the GET methode, should be changed to POST. In the log / history of the used browser you can get the complete URL with user name and password.

edit retag flag offensive close merge delete

1 answer

Sort by » oldest newest most voted
0

answered 2015-07-10 01:30:00 +0300

alexpilotti gravatar image

It's not a matter of GET or POST as the issue is in the query string passed during WebSocket creation. This is not visible in the browser's address bar / history, but it can be easily spotted when inspecting the calls.

It's a "feature" from the early days of the project, predating the day we took over the project, and it's currently being refactored to avoid such leaks.

Note: this does not affect OpenStack connections as connection parameters are obtained from Nova.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

[hide preview]

Question Tools

Stats

Asked: 2015-07-09 16:11:32 +0300

Seen: 171 times

Last updated: Jul 10 '15