Rundeck: Qualys Scan detects "AutoComplete Attribute Not Disabled for Password in Form Based Authentication"
496 views
Skip to first unread message
Mark Prescott
Sep 2, 2019, 9:22:43 AM9/2/19
to rundeck-discuss
Hi Guys,
Our server running Rundeck 3.0.24 is scanned by Qualys Vulnerability scanning and has detected the following vulnerability;
AutoComplete Attribute Not Disabled for Password in Form Based Authentication
THREAT:
The Web server allows form based authentication without disabling the AutoComplete feature for the password field.
Autocomplete should be turned off for any input that takes sensitive information such as credit card number, CVV2/CVC code, U.S. social security
number, etc.
IMPACT:
If the browser is used in a shared computing environment where more than one person may use the browser, then "autocomplete" values may be
retrieved or submitted by an unauthorized user.
SOLUTION:
Contact the vendor to have the AutoComplete attribute disabled for the password field in all forms. The AutoComplete attribute should also be
disabled for the user ID field.
Developers can add the following attribute to the form or input element: autocomplete="off"
This attribute prevents the browser from prompting the user to save the populated form values for later reuse.
Most browsers no longer honor autocomplete="off" for password input fields. These browsers include Chrome, Firefox, Microsoft Edge, IE, Opera
However, there is still an ability to turn off autocomplete through the browser and that is recommended for a shared computing environment.
Since the ability to turn autocomplete off for password inputs fields is controlled by the user it is highly recommended for application to enforce
strong password rules.
Does anyone know if there is an option to disable this or what we can do to disable autocomplete on the Rundeck login page?
Thanks,
Mark
Reiner Acuña
Sep 2, 2019, 12:12:35 PM9/2/19
to rundeck-discuss
Hi Mark,
Thanks for your feedback, please report it also here:
https://github.com/rundeck/rundeck/issues
Maybe the fastest way of use rundeck on shared environments is disable the password storage, for example, in Firefox go to Options > Privacy > disable "Ask to save logins and passwords for websites" and enable "Delete cookies and site data when Firefox is closed".
Thanks for your feedback, please report it also here:
https://github.com/rundeck/rundeck/issues
Maybe the fastest way of use rundeck on shared environments is disable the password storage, for example, in Firefox go to Options > Privacy > disable "Ask to save logins and passwords for websites" and enable "Delete cookies and site data when Firefox is closed".
Greetings!
Mark Prescott
Sep 4, 2019, 9:49:45 AM9/4/19
to rundeck...@googlegroups.com
Thanks Reiner. The browsers within the account do have this disabled but Qualys still flags it because it is a webserver and does not have this setting within the application. I will raise it on Github.
Mark
--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/ff7695a8-22b6-4638-950a-bda3f361d996%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages