Using the proxy login for HTML5 access all parameters are send within the URL, also user name and password. The form is using the GET methode, should be changed to POST. In the log / history of the used browser you can get the complete URL with user name and password.
It's not a matter of GET or POST as the issue is in the query string passed during WebSocket creation. This is not visible in the browser's address bar / history, but it can be easily spotted when inspecting the calls.
It's a "feature" from the early days of the project, predating the day we took over the project, and it's currently being refactored to avoid such leaks.
Note: this does not affect OpenStack connections as connection parameters are obtained from Nova.
Asked: 2015-07-09 16:11:32 +0300
Seen: 444 times
Last updated: Jul 10 '15
© 2014-2023 Cloudbase Solutions Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
