Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeGetting StartedGetting StartedNew to DNN Plat...New to DNN Plat...Slighty Obscure, but Not Necessarily Insignificant Security IssueSlighty Obscure, but Not Necessarily Insignificant Security Issue
Previous
 
Next
New Post
5/24/2011 11:33 AM
 
MH


Joined: 5/17/2011
Posts: 19
Hi folks, I've noticed something that concerns me a little - it's quite obscure but I would have thought it would be undesirable?  If you fail the login credential check, whatever you typed in the password input control is retained.  I noticed this whilst logging into this very site - I have typed my username incorrectly and when the page returned my password was still populated and then when I viewed the page source, there was my password in plain text.  Searching in my browser cache this was also stored on my hard drive in plain text.  I know that this doesn't (by the very nature of the username/password combination failing) give a full set of credentials in one file, but isn't it somewhat undesirable to have this (certainly the password data, anyway) stored in case it, even in the event of an incorrect password, gives anything maliciously scanning the browser cache the potential to piece together login credentials (especially if, for some reason, the cache isn't cleared when the browser closes)?  I notice (as far as I can see with a quick glance) in the DNN source code this seems to be being explicity populated in the login control:-

        Protected Sub Page_PreRender(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.PreRender
            txtPassword.Attributes.Add("value", txtPassword.Text)
        End Sub

Why is this being done?  Surely most of the time if the password is incorrect the user would just delete it and retype it, and in the case of the username being incorrect they may well retype the password anyway, just to make sure, as it is obscured in the input box?
 
New Post
5/25/2011 6:31 AM
 
Sebastian Leupold


Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

www.dnnwerk.de
Joined: 3/8/2004
Posts: 46212
it is not default behavior of DNN to retain password. Are you using default login module or Skin object?
Cheers from Germany,
Sebastian Leupold

dnnWerk - The DotNetNuke Experts   German Spoken DotNetNuke User Group

Speed up your DNN Websites with TurboDNN
 
New Post
5/25/2011 10:22 AM
 
MH


Joined: 5/17/2011
Posts: 19
It's not?  I'm rather confused then - unzipping a vanilla installation from DotNetNuke_Community_05.06.01_Install.zip, running the auto config from the startup page then logging in with non-existent credentials seems to suggest otherwise?  If I login with an invalid credential combination it retains the password I entered and this is visible in plain text in the page source.  Also, looking in the unzipped DotNetNuke_Community_05.06.02_Source.zip in the file DotNetNuke_Community_05.06.02_Source\Website\DesktopModules\AuthenticationServices\DNN\Login.ascx.vb you see the code I quoted above.  This happens (to me, at least) logging in on this site, so it looks like standard behaviour to me - or am I missing something?
 
New Post
6/3/2011 4:50 AM
 
MH


Joined: 5/17/2011
Posts: 19
Am I correct or incorrect in this issue?  I am about to start coding a major new project and was all set up to do this in DotNetNuke but if there are security concerns with it (this project has to be pretty bullet-proof) then I will have to look at not only using a new technology for it, but also to migrate all our current DNN sites away from DNN as they need to integrate with it.
Thanks
MH
 
New Post
6/13/2011 10:44 AM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676
this issue is on our list to fix for 5.6.3/6.0.
Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
 Page 1 of 1
Previous
 
Next
HomeHomeGetting StartedGetting StartedNew to DNN Plat...New to DNN Plat...Slighty Obscure, but Not Necessarily Insignificant Security IssueSlighty Obscure, but Not Necessarily Insignificant Security Issue


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out