'Bug#43305: marked as done (security: www-site password is transferred to validator.w3.org for html-c'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       konq-bugs
Subject:    Bug#43305: marked as done (security: www-site password is transferred to validator.w3.org for html-c
From:       owner () bugs ! kde ! org (Stephan Kulow)
Date:       2002-08-31 5:03:20
[Download RAW message or body]

Your message with subj: kdeaddons/konq-plugins/validators

kdeaddons/konq-plugins/validators plugin_validators.cpp,1.14,1.15
Author: waba

Modified Files:
         plugin_validators.cpp
Log Message:
CCMAIL: 43305-done@bugs.kde.org
Do not send passwords to w3c.org (BR43305)

has caused the attached bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I'm
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Stephan Kulow
(administrator, KDE bugs database)

(Complete bug history is available at http://bugs.kde.org/db/43/43305.html)

Received: (at submit) by bugs.kde.org; 31 May 2002 12:15:11 +0000
Received: (qmail 9084 invoked by uid 33); 31 May 2002 12:15:11 -0000
Date: 31 May 2002 12:15:11 -0000
Message-ID: <20020531121511.9081.qmail@mail.kde.org>
To: submit@bugs.kde.org
Subject: security: www-site password is transferred to validator.w3.org for html-code \
                check function
From: xsov@mail.ru
X-KDE-Received: -212.176.226.222

Package:           konqueror
Version:           KDE 3.0.0 
Severity:          wishlist
Installed from:    Slackware Packages
Compiler:          GCC 2.95.3
OS:                Linux
OS/Compiler notes: Linux Slackware 8.0 (GCC from Slackware)

1. We have www-site with password.
2. We use link like http://USER:PASSWD@SITE.DOM
3. It is Ok that PASSWD disappears in address bar when going to this link.
4. It is security hole when PASSWD is transferred to validator.w3.org without \
notification, when I use HTML-code check function from menu.

Seriously, dumb user can use this function and password for intranet-corporate \
confidencial www-system will transfer over all internet to validator.w3.org.

I think same hole is with CSS-code check.

(Submitted via bugs.kde.org)

_______________________________________________
Konq-bugs mailing list
Konq-bugs@mail.kde.org
http://mail.kde.org/mailman/listinfo/konq-bugs

[prev in list] [next in list] [prev in thread] [next in thread] 