Password not encrypted in SSO source code

softdesi

softdesi

Member
Messages
50
Reaction score
1
Points
8
Hey everyone,

I recently saw the SSO Main Page source code (using Chrome) and found out that my account username and password were laying there in plain text.

Shouldn't these values be encrypted, at least the password field?

EDIT: Removed screenshot of code
 
Last edited:
M

mycoo368

Member
Messages
183
Reaction score
4
Points
18
I would email that over to either support or directly to Corey. That would be a security flaw. Especially the password, ideally, both should be hidden.

Do you mean the account username as in to login to the servers or to log into SSO? Even though it probably is not much as a security issue because you have to get through SSO to be able to get that.
 
softdesi

softdesi

Member
Messages
50
Reaction score
1
Points
8
It's the DirectAdmin account details, the ones you can use to enter directly into x15.x10hosting.com, for example.

I will email that to them, seems like a good idea.
 
C

caftpx10

Well-Known Member
Messages
1,534
Reaction score
114
Points
63
This was not the first time it was noticed. If I recall correctly from their past explanation, the passwords are hashed but the credentials from the POST request are stored in the session. It would be 'printed' onto the page with the intention to submit those details to the control panel which helps avoid the end-user from having to manually log into the control panel too.
 
Last edited:
You must log in or register to reply here.
Top