Password not encrypted in SSO source code

Discussion in 'Feedback and Suggestions' started by softdesi, Dec 25, 2019.

  1. softdesi

    softdesi Member

    Messages:
    50
    Likes Received:
    1
    Trophy Points:
    8
    Hey everyone,

    I recently saw the SSO Main Page source code (using Chrome) and found out that my account username and password were laying there in plain text.

    Shouldn't these values be encrypted, at least the password field?

    EDIT: Removed screenshot of code
     
    Last edited: Dec 25, 2019
  2. mycoo368

    mycoo368 Member

    Messages:
    183
    Likes Received:
    4
    Trophy Points:
    18
    I would email that over to either support or directly to Corey. That would be a security flaw. Especially the password, ideally, both should be hidden.

    Do you mean the account username as in to login to the servers or to log into SSO? Even though it probably is not much as a security issue because you have to get through SSO to be able to get that.
     
  3. softdesi

    softdesi Member

    Messages:
    50
    Likes Received:
    1
    Trophy Points:
    8
    It's the DirectAdmin account details, the ones you can use to enter directly into x15.x10hosting.com, for example.

    I will email that to them, seems like a good idea.
     
  4. caftpx10

    caftpx10 Well-Known Member

    Messages:
    1,535
    Likes Received:
    114
    Trophy Points:
    63
    This was not the first time it was noticed. If I recall correctly from their past explanation, the passwords are hashed but the credentials from the POST request are stored in the session. It would be 'printed' onto the page with the intention to submit those details to the control panel which helps avoid the end-user from having to manually log into the control panel too.
     
    Last edited: Jan 6, 2020

Share This Page