Mail management screen exposes password #1053
Assignees
Labels
bug
Something isn't working
Comments
|
Fixed by 53cdb11 |
jionggyu
pushed a commit
to jionggyu/wiki-2.5.302-patch
that referenced
this issue
Jul 9, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The password for the email account set up in the wiki is sent to the user in the password field. This can be viewed by changing the password field type to text in developer tools, using javascript, by inspecting the response data, or by inspecting network traffic if https isn't used. There's no reason to send that data to the user, it should only be transmitted if the user is updating it.
Steps to reproduce the behavior:
Have an email address configured. In the mail section of administration, inspect the password field using your browser's developer tools and modify the type parameter to text, remove it, or enter an unsupported value. You will see the password associated with the email account.
Expected behavior
No password should ever be sent to the user. One possibility is to have a placeholder value filled into the field. This will signal to the user that a value is stored, without revealing the actual password.
Host Info
The text was updated successfully, but these errors were encountered: