Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-14975

Form attribute autocomplete="off" in User edit form is missed.

    XMLWordPrintable

Details

    • Defect (Security)
    • Status: Open
    • Trivial
    • Resolution: Unresolved
    • None
    • None
    • Frontend (F)
    • Team B
    • 0.125

    Description

      Would be nice to have autocomplete="off" attribute set to user edit form. That improves usability (no reason to remember passwords entered there) and also reduces security risks since users can automatically confirm when password manager asks if password should be saved.

      Here is a note from OWASP security guidelines:

      Also, 'Autocomplete' feature allows a browser to cache whatever the user types in an input field of a form. To check this, the form tag or the individual input tags should include 'Autocomplete="Off" ' attribute. However, it should be noted that this attribute is non-standard (although it is supported by the major browsers) so it will break XHTML validation.

      Steps to reproduce:

      0) Make sure that password manager is not disabled to remember passwords in Zabbix frontend;
      1) Login as super admin;
      2) Change password to some user in Administration -> Users;

      Result:
      Browser password manager asks if password should be saved.

      Attachments

        Activity

          People

            zabbix.dev Zabbix Development Team
            Miks.Kronkalns Miks Kronkalns
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: