Password field submitted using GET method #10320
Labels
answered
For when a question was asked and we referred to forum or answered it.
Comments
|
which form do you mean exactly? Login form, user data form,... ? |
|
Login form |
sgiehl
added
the
answered
|
that's not correct, Looking at the rendered HTML of http://demo.piwik.org/index.php?module=Login there is a <form name="login_form" id="login_form" method="post" ng-non-bindable=""> |
|
form name: "" |
|
@Showian - I just checked the form and like Stefan said, the form sends data over POST. Below is the source code I get in my browser - Maybe a false positive from Acunetix? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Vulnerability description
This form submits user data using the GET method, therefore the contents of the password field will appear in the URL. Sensitive information should not be passed via the URL. URLs could be logged or leaked via the Referer header.
The text was updated successfully, but these errors were encountered: