29 Oct
1999
29 Oct
'99
4:42 p.m.
I was tweaking with adding some of the functionality of 'manage_access' to a custom form/method, and discovered what seems to be a hole in it: the form embeds the edited user's password (in plaintext) as the text of the password/confirm fields (either text or hidden fields). In either case, "View | Page Source" shows the plaintext. "Normally", administrators are not be able to see users' passwords, but can only reset them. Is this a real problem, or is BasicAuthentication so weak that we shouldn't care, anyway? Tres. -- ========================================================= Tres Seaver tseaver@palladion.com 713-523-6582 Palladion Software http://www.palladion.com