Vulnerability : Autocomplete enabled for sensitive HTML form fields on CA Spectrum 21.2.x
search cancel

Vulnerability : Autocomplete enabled for sensitive HTML form fields on CA Spectrum 21.2.x

book

Article ID: 247722

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

In a new VA Scan, Vulnerability points have come up:


Vulnerability Description

Vulnerability Solution

Service Port

The Web form contains passwords or other sensitive text fields for which the browser auto-complete feature is enabled. Auto-complete stores completed form field and passwords locally in the browser, so that these fields are filled automatically when the user visits the site again.


 

Sensitive data and passwords can be stolen if the user's system is compromised.


 


Note, however, that form auto-complete is a non-standard, browser-side feature that each browser handles differently. Opera, for example, disregards the feature, requiring the user to enter credentials for each Web site visit.

Disable autocomplete for all sensitive fields


 





For each sensitive field in the HTML, set the "autocomplete" attribute to "off". For example:

 

<input type="password" autocomplete="off" name="pw"> 


If there are many fields, it may be faster to set the "autocomplete" attribute to "off" in the outer <form> tag. For example:

 

<form action="/login.jsp" autocomplete="off" name="pw"> <input type="password" name="pw"> </form>

8443

 

Environment

Release - All Supported Releases
Component : SPCOCK - Spectrum OneClick

Resolution

 In order to address this issue we have identified 7 files which need to be changed:

$SPECROOT\tomcat\webapps\spectrum\repmgr\admin\boConfig.jsp
$SPECROOT\tomcat\webapps\spectrum\repmgr\admin\boMultiSRMConfig.jsp

$SPECROOT\tomcat\webapps\spectrum\repmgr\admin\boPasswords.jsp

$SPECROOT\tomcat\webapps\spectrum\repmgr\admin\jasperConfig.jsp

$SPECROOT\tomcat\webapps\spectrum\WEB-INF\cac\cac-config.jsp

$SPECROOT\tomcat\webapps\spectrum\WEB-INF\sso\sso-config.jsp

$SPECROOT\tomcat\webapps\spectrum\WEB-INF\common\changeDBpass.jsp

You can change these files and add the autocomplete="off" for the password fields and this vulnerability should be fixed.

For example, you can change it as follows:

    <input type="password" class="form-control" name="oldPassword" autocomplete="off"/> 

Powered by Wolken Software