Konqueror disclosed confidential information?

To: debian-kde@lists.debian.org
Subject: Konqueror disclosed confidential information?
From: Alan Chandler <alan@chandlerfamily.org.uk>
Date: Wed, 1 Mar 2006 23:18:20 +0000
Message-id: <200603012318.21324.alan@chandlerfamily.org.uk>

I have a really strange situation.  I wonder if anyone else has seen it.

I am debugging a dynamic application related to getting access to a database 
of users and the passwords they need to access parts of my web site.  I have 
a page which allows the administrator to edit users.

http://www.chandlerfamily.org.uk/photos/d/480-1/EditUserDetailsForm.png

Here is a picture of the screen - notice the fields that are filled in.

But below is part of the html retrieved for the form part of the screen via 
the View Document Source menu command.  The data in the fields have no 
relationship to what is on the screen (most of the fields should be blank - 
the user name is completely different).

This data looks to have come from a previous version of this form (in another 
page of the application).  



<div id="centre" class="column">
 <!-- Copyright (c) 2006 Alan Chandler, licenced under the GPL (see 
LICENCE.txt file in META-INF directory)  -->

<label for="userName">User Name</label>
<input type="text" name="userName" value="carrie" id="userName"/><br/>

<label for="password">Password</label>
<input type="password" name="password" value="" id="password"/><br/>
 
<label for="confirm">Confirm Password</label>
<input type="password" name="confirm" value="" id="confirm"/><br/>

<label for="email">Email Address</label>
<input type="text" name="email" value="" id="email"/><br/>

<label for="fullname">Full Name</label>
<input type="text" name="fullname" value="" id="fullname"/><br/>

 
 
 
 <label for="roles">Current Roles</label>
<select name="roles" multiple="multiple" id="roles">
 
  <option value="0">editor</option>
 
  <option value="1">developer</option>
 
  <option value="2" selected="selected">admin</option>
 
</select>
 
</div>

...


It is possible that Javascript creates this data on the screen - but 

a) I don't expect it to
b) Firefox shows what I would expect (ie it does NOT show this strange data).

This seems to show that there could be a serious security breach somewhere 
here. I am therefore extremely worried about it.

Has anyone else experienced a similar problem?




-- 
Alan Chandler
http://www.chandlerfamily.org.uk
Open Source. It's the difference between trust and antitrust.

Reply to:

Follow-Ups:
- Re: Konqueror disclosed confidential information?
  - From: Paul Johnson <baloo@ursine.ca>

Prev by Date: Re: KMail 3.5.1-1 crashes when retrieving new maessages
Next by Date: Re: wireless card
Previous by thread: Re: wireless card
Next by thread: Re: Konqueror disclosed confidential information?
Index(es):
- Date
- Thread