Jump to content


Photo

Website Security Risk


  • Please log in to reply
2 replies to this topic

#1 Crane

Crane

    "Teh Gareth!"

  • Members
  • 4091 posts

Posted 08 June 2010 - 09:35 AM

This might be more of a suggestion, but it is a technical issue... I would like to suggest reprogramming the trading pages on the website to use HTTP "POST" submission method, rather than HTTP "GET", for two reasons...

1) It violates the HTML specification, as the form isn't genuinely "idempotent" (the only time that it is recommended to use "GET").
2) The user's account password appears in the address bar (as plaintext) after it is submitted.
The Crane Temple Chairman

Main crits:
Crane
Europa


Don't kill the messenger mathematician!

#2 Crane

Crane

    "Teh Gareth!"

  • Members
  • 4091 posts

Posted 04 July 2010 - 01:42 PM

This topic got quickly buried by another issue, but I can't help but feel that the password appearing as plaintext is a big security hole.
The Crane Temple Chairman

Main crits:
Crane
Europa


Don't kill the messenger mathematician!

#3 Yggdrasill

Yggdrasill
  • Members
  • 255 posts

Posted 06 July 2010 - 03:51 AM

Ticket from me to JLH...

Me: When using the site to class change a character, it asks for the name of the character and the account password and you click Next button. The new page loads and your character name and password are both displayed in plain text in the URL. Can't believe I never noticed this in the 8ish years I've been changing characters.

Oracle: Marking for JLH to review as he's the only one that can change code based things like that.

JLH: you are correct, that's how i did it many many years ago - there is no problems with this (unless someone is reading your internet history or watching your screen).
i guess it wouldn't hurt if i encoded it.


This is from quite a while back but there you have it.
1-alt: Inglastex Main: don't play




2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users