[wp-trac] [WordPress Trac] #12522: Don't show password in plaintext in installer confirmation page
WordPress Trac
wp-trac at lists.automattic.com
Fri Mar 5 05:30:35 UTC 2010
#12522: Don't show password in plaintext in installer confirmation page
--------------------------+-------------------------------------------------
Reporter: caesarsgrunt | Owner: ryan
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.0
Component: Security | Version: 3.0
Severity: major | Keywords:
--------------------------+-------------------------------------------------
Just noticed that after the user chooses a password, it is shown in
plaintext on the next page (presumably a hangover from when it used to be
generated and so had to be shown). This is a '''major''' security flaw.
Just as password entry fields always use asteriscs or bullets rather than
showing plaintext, so that people in the vicinity don't see the password
being entered, the password should not be shown here in plaintext. The
issue is, in fact, more severe than just a password entry field, since (a)
the information is shown for longer and (b) the page could be cached under
some circumstances, with potentially disastrous results.
Can anyone think of a reason to show the password here, or can we remove
it?
--
Ticket URL: <http://core.trac.wordpress.org/ticket/12522>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list