Login Security

[lockandb]

I have noticed something that may be alarming and I am wondering if any other users are experiencing the same occurrence. My account was reaching warning notice for inactivity suspension, so I decided that I needed to login.

When I go to login to my account it first returns this screen:

Refreshing the page continues with a successful login and takes me to the control panel. I decided to investigate further.

Opening developer tools and looking at the network log in chrome I see this:

----------------------------------------------------------------------------------------

Request URL:https://x10hosting.com/sso/login/do_login
Request Method:POST
Status Code:500
Remote Address:***.***.***.***
Response Headers
cf-ray:*
content-type:text/html; charset=UTF-8
date:Sat, 17 Dec 2016 17:08:05 GMT
server:cloudflare-nginx
set-cookie:coken=*; Expires=Sat, 17-Dec-2016 19:08:04 GMT; Max-Age=7200; Path=/; Domain=.x10hosting.com; Secure
set-cookie:x10session=* Domain=.x10hosting.com; Secure; HttpOnly
status:500
vary:Accept-Encoding
x-powered-by:PHP/5.5.24
Request Headers
:authority:x10hosting.com
:method:POST
:path:/sso/login/do_login
:scheme:https
accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
accept-encoding:gzip, deflate, br
accept-language:en-US,en;q=0.8
cache-control:no-cache
content-length:150
content-type:application/x-www-form-urlencoded
cookie:__cfduid=*; xf_session=*; coken=*; __context=*; x10session=*
origin:https://x10hosting.com
pragma:no-cache
referer:https://x10hosting.com/sso/login
upgrade-insecure-requests:1
user-agent:Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Form Data
view source
view URL encoded
token:*
identifier:plain_text_email@myemail.com
password:plain_text_password!?
do_login:1
continue:true
usess_u:
usess_d:

----------------------------------------------------------------------------------------

I've replaced possibly sensitive information with an asterisk '*'.


What is alarming here is that my login credentials are sent to cloud-flare servers in plane text, and http only is specified in the headers. This seems very concerning but I do not know enough about SSL and x10hosting login processes to know if it is normal or not. I feel it is not.

My site is still inaccessible even though it says online, and all that I see is:

When I try to access this. I would like help understanding this, as well as what I need to do to get my site functioning properly again.

I've included all links files in the attachments.

 

[Dead-i]

Hi,

I have escalated the problem regarding the 500 error to higher staff, who should be able to investigate.

However, I'm not sure that I understand the security problem you are reporting. CloudFlare is our CDN, but traffic between you and our CDN, and then our CDN to our server is encrypted; you are able to see your password in plain text because your browser is aware of what it is sending, but the actual data sent is encrypted. The "HttpOnly" flag you mentioned simply means that only our server should be able to access it, and is not related to https (so in other words, there is no such thing as HttpsOnly). You're likely confusing it with the "Secure" flag, which means the cookie can only be accessed through HTTPS - which we can see from your Chrome log that it is being set.

In future though, if you do have any security concerns, it's always best to submit it through https://x10hosting.com/contact (choose "Disclose Security Issue" at the dropdown), so that any issues can be handled swiftly and confidentially.

 

[lockandb]

Thank you very much! I thought I may have been misunderstanding the plain text.

What about the DB error when accessing my site? Nothing has changed on the site, and it does it on all of my domains / sites / subdomains including newly created ones to test that it wasn't something wrong with my current one.