WordPress.org

Make WordPress Core

Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

#12522 closed defect (bug) (duplicate)

Don't show password in plaintext in installer confirmation page

Reported by: caesarsgrunt Owned by: ryan
Milestone: Priority: normal
Severity: major Version: 3.0
Component: Security Keywords:
Focuses: Cc:

Description

Just noticed that after the user chooses a password, it is shown in plaintext on the next page (presumably a hangover from when it used to be generated and so had to be shown). This is a major security flaw. Just as password entry fields always use asteriscs or bullets rather than showing plaintext, so that people in the vicinity don't see the password being entered, the password should not be shown here in plaintext. The issue is, in fact, more severe than just a password entry field, since (a) the information is shown for longer and (b) the page could be cached under some circumstances, with potentially disastrous results.

Can anyone think of a reason to show the password here, or can we remove it?

Change History (2)

#1 @nacin
12 years ago

  • Milestone 3.0 deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #12479 and the main task ticket, #10396.

Good to see you active again.

#2 @caesarsgrunt
12 years ago

Thanks nacin. Yeah; I'll be around for a little while I hope, but no guarantees! Looks like I've got some catching up to do on what's been going on...

Note: See TracTickets for help on using tickets.