00724: Change type='text' to type='password' in ?action=attr
Description: I really consider this to be a security risk, password should never been seen in plain text, not even on adminsites. There's allways the risk of someone behind you back.
And it's really a simple fix, just edit the line 1597 in pmwiki.php 2.1.3
<td><input type='text' name='$attr' value='$value' /></td>
To: <td><input type='password' name='$attr' value='$value' /></td>
Because the attribute fields may be used to enter items other than passwords, the entry fields are in cleartext. If it's important to make this a configurable option, I can do that.
--Pm
These fields allow to enter two or more passwords, auth @groups and page locks @lock and @nopass, all separated by spaces (a space isnot allowed in passwords nor in keywords, nor @ as a first character). If the field is "password", a user can successfully lock himself and to recover the page ne will need an administrator. --Petko August 02, 2007, at 07:34 PM
Declined.
--Pm November 14, 2007, at 09:55 AM