Jump to content

Security issue in Product view: Weebly website builder - FTP password viewable in plaintext


James Rowe

Recommended Posts

Hello there, I've noted a security issue within the WHMCS system which relates to how product FTP passwords are viewed. 

The issue is evident in the 'Client Profile' view, and when viewing the product, and the 'FTP Password' field (see attached screenshot). 

The security issue relates to the fact that the password is viewable in plaintext, and is not in asterisk or 'input="password" format upon page load, and the form field does not have a 'reveal' button/function next to it to convert the password from asterisk to plain text, and back again. This function is now common, and a good example of this can be seen in Google's password manager.

This issue is more of an issue from a physical perspective (people standing over your shoulder and viewing the password, or a screenshot logger recording it on a compromised system). 

Is there a fix for this that anybody is aware of, or any plans to release a fix? Thank you. 

Screen Shot 2021-10-18 at 11.15.55.png

Link to comment
Share on other sites

On 11/22/2021 at 6:26 AM, James Rowe said:

Hello there, I've noted a security issue within the WHMCS system which relates to how product FTP passwords are viewed. 

The issue is evident in the 'Client Profile' view, and when viewing the product, and the 'FTP Password' field (see attached screenshot). 

The security issue relates to the fact that the password is viewable in plaintext, and is not in asterisk or 'input="password" format upon page load, and the form field does not have a 'reveal' button/function next to it to convert the password from asterisk to plain text, and back again. This function is now common, and a good example of this can be seen in Google's password manager.

This issue is more of an issue from a physical perspective (people standing over your shoulder and viewing the password, or a screenshot logger recording it on a compromised system). 

Is there a fix for this that anybody is aware of, or any plans to release a fix? Thank you. 

Screen Shot 2021-10-18 at 11.15.55.png

Don't browse your clients confidential information when people are at your shoulder.... I really am to lazy, to "hold one button" to show the numbers behind the Asterix, so for me the current way is working quite good.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated