Text only | Text with Images

Roundcube Community Forum

News and Announcements => General Discussion => Topic started by: kenw232 on September 15, 2013, 09:16:51 PM

Title: Passing password to login form via GET?
Post by: kenw232 on September 15, 2013, 09:16:51 PM
I noticed going to a URL like this will auto-populate the username but not the password:
http://demo.roundcube.net/mail/[email protected]&_pass=demopwd

Any easy way to get the latest version of roundcube to auto-populate _pass too?
Title: Re: Passing password to login form via GET?
Post by: SKaero on September 15, 2013, 09:54:44 PM
Thats a terrible way to pass a password. If you want to do something like that use the http_authentication plugin.
Title: Re: Passing password to login form via GET?
Post by: kenw232 on September 15, 2013, 11:03:53 PM
why is it so bad?  its just passing a string into a input's "value" variable.  not a big deal.  much easier then some plugin I have to fight.

In fact add this to the top of index.php and now the get variable of _user= can now just be user= without the _

if ($_GET['user'] <> "") : $_GET['_user'] = $_GET['user']; endif;
Title: Re: Passing password to login form via GET?
Post by: SKaero on September 16, 2013, 12:17:35 AM
Passing the password in the get sting puts it in the browser history and passed the password in clear text as part of the request. Its highly insecure.
Text only | Text with Images