I have noticed during a transfer from a development server to production a potential browser security concern.
In a PHP file, I have a simple login form, POSTing to itself. The basic HTML looks like:
<form action="http://mysite.com/includes/login/login.php" method="post">
<table>
<tr>
<td>
Username:
</td>
<td>
<input type="text" name="username" size="15" maxlength="64" tabindex=1 />
</td>
</tr>
<tr>
<td>
Password:
</td>
<td>
<input type="password" name="pword" size="15" maxlength="40" tabindex=2 />
</td>
</tr>
</table>
<p><input type="submit" name="submit" value="Login" tabindex=3 /></p>
<input type="hidden" name="submitted" value="TRUE" />
</form>
I noticed when I eliminated (by accident) the ending quote from the form action (e.g., <form action="http://mysite.com/includes/login/login.php method="post">) the form redirected to a “page not found” as it should. But it also appended the $_POST data as $_GET data. So the browser displayed the login information as:
http://mysite.com/includes/login/login.php%20method=?username=theperson&pword=happyday&submit=Login&submitted=TRUE
I get the same response in IE and Chrome. Is this a big security hole or not? I know I can view similar information in the developer tools, but I am wondering if a hacker could use this and if there is anything I should do to protect it. Also, can anyone explain why the $_POST data was converted to $_GET data?
If your form looks like this:
it’s equivalent to this:
which will result in a form with two attributes:
action:http://mysite.com/includes/login/login.php method=post": emptySince there is no method attribute specified, the method GET is implied.
The only security consideration here is that sensitive data is sent via URL which can later show up in proxy and server logs, apart from the fact that you’re sending the login credentials over a non-secure channel.