Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix: use POST instead of GET when validating credentials #90

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jackbuehner merged 1 commit into from
Jul 10, 2025
Merged

fix: use POST instead of GET when validating credentials #90

jackbuehner merged 1 commit into from
Jul 10, 2025

Conversation

@jackbuehner
Copy link
Collaborator

@jackbuehner jackbuehner commented Jul 10, 2025
edited
Loading

This change switches the credential validation request from GET to POST. When it was a GET request, the cerednetials were encoded in the URL. This ensures that credentials are not exposed in the IIS logs, which would include the credentials from the URL.

Tested with:

  • local credentials
  • domain credentials

Test release: https://github.com/jackbuehner/raweb/releases/tag/v2025.07.10.0

Resolves #89

@jackbuehner jackbuehner self-assigned this Jul 10, 2025
@jackbuehner jackbuehner added the security Related to a security issue or improvement label Jul 10, 2025
@jackbuehner jackbuehner marked this pull request as ready for review July 10, 2025 22:17
@jackbuehner jackbuehner merged commit 8532657 into kimmknight:master Jul 10, 2025
@jackbuehner
Copy link
Collaborator Author

jackbuehner commented Jul 10, 2025

@kimmknight would you mind publishing a security advisory for this? I don't have permission.

Title: Credentials are exposed in IIS logs

Description

Impact

Credentials are exposed in the IIS logs at C:\inetpub\logs\LogFiles\W3SVC1. Access to these logs require administrator privlages unless the permissions on the logs folder has been modified.

Patches

The problem has been patched in RAWeb release v2025.07.10.0.

Workarounds

Disable IIS logs.

References

Reported by @akarl10 in issue #89.
Fixed by @jackbuehner in PR #90.

Ecosystem: GitHub Release

Package name: kimmknight/raweb

Affected versions: >= 2025.06.16.1, < v2025.07.10

Patched versions: >= 2025.07.10.0

Severity (CVSS v3) vector string: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Common weakness enumerator: CWE-532

Credits: @akarl10 - Reporter, @jackbuehner - Remediation developer

@jackbuehner jackbuehner deleted the validate-via-post branch July 10, 2025 22:45
@kimmknight
Copy link
Owner

kimmknight commented Jul 10, 2025

Absolutely, and thank you! Just at the zoo with my family, will get on to it this evening..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jackbuehner jackbuehner

Labels

security Related to a security issue or improvement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

RAWeb form login should not send password with a HTTP GET

2 participants

@jackbuehner @kimmknight