Hello,
We're running your software in a PCI Compliant environment that gets scanned every month for vulnerabilities. Our latest scan shows a vulnerability with the password field on the login page of myDBR. Below is the report.
The Web form contains passwords or other sensitive text fields for which the
browser auto-complete feature is enabled. Auto-complete stores completed form
field and passwords locally in the browser, so that these fields are filled
automatically when the user visits the site again.
Sensitive data and passwords can be stolen if the user's system is
compromised.
Note, however, that form auto-complete is a non-standard, browser-side feature
that each browser handles differently. Opera, for example, disregards the
feature, requiring the user to enter credentials for each Web site visit.
Evidence:
Form with action https://xx.xxx.xxx.xxx/index.php?a=login does not explicitly
disable autocomplete for the following sensitive fields: password
Status: vulnerable-exploited
Any chance you could fix this for us so we can pass our test?
