<div dir="ltr">In the article I shared, it covers this exact scenario:<div><br></div><div>"If an author would like to prevent the autofilling of password fields in user management pages where a user can specify a new password for someone other than themself, autocomplete="new-password" should be specified, though support for this has not been implemented in all browsers yet."</div><div><br></div><div>Source: <a href="https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#The_autocomplete_attribute_and_login_fields">https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#The_autocomplete_attribute_and_login_fields</a></div><div><br></div><div>Until all browsers support it, perhaps making it a pop up window to configure, like how IP Phone service subscriptions and speed dials are, this way you know that filling in these fields is intentional. The real trouble with how it works now is, the secure shell area is far below the view port, and you have no idea it's even happening. So, if you simply open a phone page, change the CSS, click save; you think you made 1 change, when in fact you made 3: CSS, secure shell username, and secure shell password.</div><div><br></div><div>Cisco could also put the number of fields updated on the top of the page in the Status area. E.g., 3 Changes saved successfully.</div></div><br><div class="gmail_quote"><div dir="ltr">On Mon, Mar 19, 2018 at 11:07 AM Ryan Ratliff (rratliff) <<a href="mailto:rratliff@cisco.com">rratliff@cisco.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;line-break:after-white-space">
The challenge here is that you want the “type” of the input to be set to password for these fields so the browser will replace the contents with *****.
<div><br>
</div>
<div>What would you rename in this case? Is it the label for the input, the id of the input itself? For the login and ssh password fields the ids don’t match and neither do the label fields (login page doesn’t have a label at all).
<div><br>
</div>
<div>With respect to the service profile this is also resolved in 12.0 where username and password are no longer in the service profile.</div>
<div><br>
</div>
<div>I brought this issue up with PSIRT today and the general consensus is that we are trying to do the right thing by specifying autocomplete=off on these fields. The fact that the browser ignores this for password input fields is a problem, but we
need more inputs from the DEs on how or if we can prevent this. We are going to look into back-porting the fix from 12.0 into older releases.</div>
<div><br>
<div></div></div></div></div><div style="word-wrap:break-word;line-break:after-white-space"><div><div><div>
<div>-Ryan </div></div></div></div></div><div style="word-wrap:break-word;line-break:after-white-space"><div><div><div>
<div><br>
<div>On Mar 16, 2018, at 2:10 PM, Anthony Holloway <<a href="mailto:avholloway+cisco-voip@gmail.com" target="_blank">avholloway+cisco-voip@gmail.com</a>> wrote:</div>
<br class="m_8828765704638119033Apple-interchange-newline">
<div>
<div dir="ltr">"...I think they need to rename some of these fields so that password autofill doesn't happen."
<div><br>
</div>
<div>Exactly! If you're going to build a web app, you have to understand how the browser works. Granted, the browser should be a little more intelligent about what it thinks is a login form, but the web developers should know how that process works,
and how to avoid having the browser mistake their fields for login forms.</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Fri, Mar 16, 2018 at 11:32 AM Brian Meade <<a href="mailto:bmeade90@vt.edu" target="_blank">bmeade90@vt.edu</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">This is also a problem on the Service Profile page filling in LDAP Username/Password. I see so many customers with their admin accounts filled in here from autofill on their browsers. These are sent clear-text to Jabber clients.
<div><br>
</div>
<div>I think I talked to some Cisco folks on this and it didn't get anywhere since it was more a browser issue. I think they need to rename some of these fields so that password autofill doesn't happen.</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote"></div>
</div>
<div class="gmail_extra">
<div class="gmail_quote">On Wed, Mar 14, 2018 at 9:49 PM, Anthony Holloway <span dir="ltr">
<<a href="mailto:avholloway+cisco-voip@gmail.com" target="_blank">avholloway+cisco-voip@gmail.com</a>></span> wrote:<br>
</div>
</div>
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="auto"><span style="font-family:sans-serif;font-size:12.8px">I'm working on something, and was wondering if you could check something for me, so I can better understand why and how often this is happening.</span>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">So, I was looking at phone config file today, and I noticed the ccmadmin username and password was in the XML, and in plain text nonetheless.</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">I found out that the browser, when told to remember your credentials, will treat the SSH username/password fields as login fields whenever you modify a phone, and you might be unknowingly
save your credentials for clear text view by unauthenticated users.</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">Is anyone already aware of this?</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">You could you run the following command on your clusters:</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><font face="monospace"><b>run sql select name, sshuserid from device where sshuserid is not null and sshuserid <> ""</b></font></div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">Then in the output, if there are any hits, look at the config XML file for the phone and see if the passwords are there.</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">E.g., </div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">output might be:</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><font face="monospace"><b><font color="#cc0000">SEP6899CD84B710</font> aholloway</b></font></div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">So then you would navigate your browser to:</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><font face="monospace"><b>http://<tftpserver>:6970/<font color="#cc0000">SEP6899CD84B710</font>.cnf.xml</b></font></div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">You then might have to view the HTML source of the page, because the browser might mess up the output.</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">You're then looking for the following two fields, your results will vary:</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><font face="monospace"><b><sshUserId>aholloway</sshUserId></b></font></div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><font face="monospace"><b><sshPassword>MyP@ssw0rd</sshPassword></b></font></div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">Then, since we now know it's happening, get list of how many different usernames you have with this command:</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><font face="monospace"><b>run sql select distinct sshuserid from device where sshuserid is not null and sshuserid <> "" order by sshuserid</b></font></div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">This could also be happening with Energy Wise settings, albeit not on the same web pages.</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">I'm curious about two things:</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">1) Is it even happening outside of my limited testing scenarios?</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">2) How many different usernames and passwords were there?</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">If the answers are yes, and 1 or more, then this is an issue Cisco should address.</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">The reason it's happening is because the way in which browsers identify login forms, is different from the way in which web developers understand it to work. Cisco uses the element attribute
on these fields "autocomplete = false" and unfortunately, most browser ignore that directive.</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">I have noticed that this does not happen, if you have more than 1 saved password for the same site, rather it will only happen if you use the same login for the entire site. Our highest
chance of seeing this happen are for operations teams where they login with their own accounts, and do not use DRS or OS Admin.</div>
</div>
<br>
</blockquote>
</div>
</div>
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" rel="noreferrer" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
<br>
</blockquote>
</div>
</div>
</blockquote>
</div>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
</div>
</div>
<br>
</div></div></div></div></blockquote></div>