[enhancement] Prevent Autocomplete Vulnerability in munkiwebadmin

[ghost]

As part of our external PCI audit munkiwebadmin has a vulnerability with django where the form password elements do not have autocomplete turned off.

Here is how to correct this:

Fix AutoComplete on Password fields

In Finder, go to /usr/local/munkiwebadmin/lib/python2.7/site-packages/django/forms
Make a copy of widgets.py
Edit widgets.py
Find "class PasswordInput(TextInput):"

On the line "def init(self, attrs=None, render_value=False):"

Replace it with

"def init(self, attrs={'autocomplete':'off'}, render_value=False):"

[keeleysam]

This is really a personal preference, and is definitely not a security
vulnerability.

Disabling autocomplete is an annoyance which is easily circumvented browser
side.

I'd suggest you actually audit how your browsers are storing those
passwords, and use SSL so it becomes difficult to MITM.

On Tuesday, May 19, 2015, Bill McIlhargey [email protected] wrote:

As part of our external PCI audit munkiwebadmin has a vulnerability with
django where the form password elements do not have autocomplete turned off.

Here is how to correct this:

Fix AutoComplete on Password fields

In Finder, go to
/usr/local/munkiwebadmin/lib/python2.7/site-packages/django/forms
Make a copy of widgets.py
Edit widgets.py
Find "class PasswordInput(TextInput):"

On the line "def init(self, attrs=None, render_value=False):"

Replace it with

"def init(self, attrs={'autocomplete':'off'}, render_value=False):"

—
Reply to this email directly or view it on GitHub
#23.

Samuel Keeley