In a new VA Scan, Vulnerability points have come up:
Vulnerability Description |
Vulnerability Solution |
Service Port |
The Web form contains passwords or other sensitive text fields for which the browser auto-complete feature is enabled. Auto-complete stores completed form field and passwords locally in the browser, so that these fields are filled automatically when the user visits the site again.
Sensitive data and passwords can be stolen if the user's system is compromised.
Note, however, that form auto-complete is a non-standard, browser-side feature that each browser handles differently. Opera, for example, disregards the feature, requiring the user to enter credentials for each Web site visit. |
Disable autocomplete for all sensitive fields
<input type="password" autocomplete="off" name="pw"> If there are many fields, it may be faster to set the "autocomplete" attribute to "off" in the outer <form> tag. For example:
<form action="/login.jsp" autocomplete="off" name="pw"> <input type="password" name="pw"> </form> |
8443 |
Release - All Supported Releases
Component : SPCOCK - Spectrum OneClick
In order to address this issue we have identified 7 files which need to be changed:
$SPECROOT\tomcat\webapps\spectrum\repmgr\admin\boConfig.jsp
$SPECROOT\tomcat\webapps\spectrum\repmgr\admin\boMultiSRMConfig.jsp
$SPECROOT\tomcat\webapps\spectrum\repmgr\admin\boPasswords.jsp
$SPECROOT\tomcat\webapps\spectrum\repmgr\admin\jasperConfig.jsp
$SPECROOT\tomcat\webapps\spectrum\WEB-INF\cac\cac-config.jsp
$SPECROOT\tomcat\webapps\spectrum\WEB-INF\sso\sso-config.jsp
$SPECROOT\tomcat\webapps\spectrum\WEB-INF\common\changeDBpass.jsp
You can change these files and add the autocomplete="off" for the password fields and this vulnerability should be fixed.
For example, you can change it as follows:
<input type="password" class="form-control" name="oldPassword" autocomplete="off"/>