This repository has been archived by the owner on Dec 9, 2023. It is now read-only.

AuthenticateUserAsync Security Issue #45

Open

ayaremrah opened this issue Sep 3, 2019 · 0 comments

ayaremrah commented Sep 3, 2019 •

edited

Loading

Hi
I've just checked the method "AuthenticateUserAsync". As far as i can see plain in-hashed password are also posted when authorizing.

args["username"] = Uri.EscapeDataString(username);
args["pw"] = password;

I set the args["pw"] = "" in my project but it needs to be fixed here as well.

Edit: Also for the very same reason if your password includes characters such as "&" then the http post method will fail no matter what.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.