[Plugin: IDrive for WordPress] V1.2: Passwords sent unencrypted!
-
During login, the idrive password is sent unencrypted twice, while the plugin determines that you have an active account and gets configuration settings from the server.
Version 1.2
Line 240:
The unobfuscated url is: https://www1.ibackup.com/cgi-bin/get_account_status?user=<user>&passwd=<pass>Line 261:
The unobfuscated url is: https://www.idrive.com/cgi-bin/idrivee_get_ibackup_and_idrive?user=<user>&passwd=<pass>The https versions of these urls appear to work, so you can manually change the plugin to make the calls over SSL. I have also submitted a ticket to IDrive, but I would not recommend using 1.2 in it’s current state. Your password is most likely vulnerable.
https://www.ads-software.com/extend/plugins/idrive-for-wordpress/
Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
- The topic ‘[Plugin: IDrive for WordPress] V1.2: Passwords sent unencrypted!’ is closed to new replies.
