Jump to content

Security issue in Product view: Weebly website builder - FTP password viewable in plaintext

James Rowe

By James Rowe
in Developer Corner

 Share

Recommended Posts

James Rowe Junior Member

James Rowe

Posted
Posted

Hello there, I've noted a security issue within the WHMCS system which relates to how product FTP passwords are viewed. 

The issue is evident in the 'Client Profile' view, and when viewing the product, and the 'FTP Password' field (see attached screenshot). 

The security issue relates to the fact that the password is viewable in plaintext, and is not in asterisk or 'input="password" format upon page load, and the form field does not have a 'reveal' button/function next to it to convert the password from asterisk to plain text, and back again. This function is now common, and a good example of this can be seen in Google's password manager.

This issue is more of an issue from a physical perspective (people standing over your shoulder and viewing the password, or a screenshot logger recording it on a compromised system). 

Is there a fix for this that anybody is aware of, or any plans to release a fix? Thank you. 

Screen Shot 2021-10-18 at 11.15.55.png

0
Link to comment
Share on other sites
lulzkiller Senior Member

lulzkiller

Posted
Posted
On 11/22/2021 at 6:26 AM, James Rowe said:

Hello there, I've noted a security issue within the WHMCS system which relates to how product FTP passwords are viewed. 

The issue is evident in the 'Client Profile' view, and when viewing the product, and the 'FTP Password' field (see attached screenshot). 

The security issue relates to the fact that the password is viewable in plaintext, and is not in asterisk or 'input="password" format upon page load, and the form field does not have a 'reveal' button/function next to it to convert the password from asterisk to plain text, and back again. This function is now common, and a good example of this can be seen in Google's password manager.

This issue is more of an issue from a physical perspective (people standing over your shoulder and viewing the password, or a screenshot logger recording it on a compromised system). 

Is there a fix for this that anybody is aware of, or any plans to release a fix? Thank you. 

Screen Shot 2021-10-18 at 11.15.55.png

Don't browse your clients confidential information when people are at your shoulder.... I really am to lazy, to "hold one button" to show the numbers behind the Asterix, so for me the current way is working quite good.

0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept