Just checked (look at me being all helpful ) Starred out in Page Source too.If the password is actually being printed back out, it would be in the page source; inspecting it may not show as a browser design choice. I don't know the implementation to know whether or not that's the case though.
Okay, I didn't have the whole edit the field first part of the equationI was the one who noticed it. I can still reproduce this in safari, by clicking on the "stored credentials" option in ACP, clicking edit on the desired credential and then right clicking in the password field and inspecting. In the screenshot, you can see username is test and password is "hidemetest". Not major if you are the only admin with ACP access but unsafe if you aren't.
Yeah, sorry. I wasn't as clear about the procedure when @Brogan and myself were talking about it.Okay, I didn't have the whole edit the field first part of the equation
Yes, I can confirm this.
@jOOc,I have the latest versions of these two add-on's but they still shows up as outdated, why?
View attachment 106729
Bug fixes:
- Fixes outdated add-ons counter in XenForo 1.5 Beta 1.
@TDUBS It hasn't been fixed.
The function that returns the password begins on line 497 (function name: actionStoredCredentialsEdit). Preventing the function from returning the actual password should be enough if all you worry about is other admins that have access to Admin CP from accessing the password.library\Waindigo\InstallUpgrade\Extend\XenForo\ControllerAdmin\AddOn.php
right before this line (adding it after will also work - just make sure it's changed before being added to $viewParams array):$credential['password'] = "fake password";
$credential = $installUpgradeModel->prepareCredential($credential);
@TDUBS However you can prevent the Stored Credentials page to return the actual password when someone tries to edit it by editing this file:
The function that returns the password begins on line 497. Preventing the function from returning the actual password should be enough if all you worry about is other admins that have access to Admin CP from accessing the password.
@TDUBS It will only solve the issue that those users above reported. The issue where it's possible for other admins that have access to Admin CP to retrieve password of the stored credentials (and if you're not on an encrypted connection, it's also possible for MIM attacker to retrieve it though).
We use essential cookies to make this site work, and optional cookies to enhance your experience.