Results 1 to 2 of 2

Thread: Nessus 42057: "Web Server Allows Password Auto-Completion"

  1. #1
    Join Date
    May 2009
    Rep Power

    Default Nessus 42057: "Web Server Allows Password Auto-Completion"

    Hello! We have scanned our Zimbra 5.0.18 install with Nessus and found the "Web Server Allows Password Auto-Completion" problem:

    Tenable Network Security

    Is this problem "fixable" by us, or will we need to enter a bug report and wait for updated code?

    Mike Rios

  2. #2
    Join Date
    Jan 2007
    Rep Power


    IMO a better answer to that threat includes locking screensavers and full-drive encryption for laptops. If you have those, then saved passwords aren't necessarily an exposure... except to a trojan specifically targeting the browser or OS password cache.

    If dealing with that potential risk in that particular way is important to you, tell people "don't save passwords." This can be enforced with (something like) group policy.

    Or, hack at the form, which is sommewhere around jetty/webapps/zimbra/public/login.jsp (zmmmailboxd stop; rm -rf jetty/work/*; zmmmailboxd start required to get rid of precompiled cache).

    Or, don't use Zimbra's login form at all. Search for preauth.

Similar Threads

  1. Ubuntu 8.04 Lts Zimbra 5.0.14 Ldap Problem
    By rkrojero in forum Installation
    Replies: 10
    Last Post: 04-20-2009, 11:58 PM
  2. Zimbra fails after working for 2 weeks
    By Linsys in forum Administrators
    Replies: 10
    Last Post: 10-07-2008, 12:42 AM
  3. Zimbra mysql server password?
    By kbaker in forum Administrators
    Replies: 3
    Last Post: 01-10-2008, 11:12 AM
  4. Installation Problem - Possibly LDAP
    By geroshea in forum Installation
    Replies: 5
    Last Post: 03-16-2007, 04:47 AM
  5. Insallation failed (Debian server)
    By popui007 in forum Installation
    Replies: 5
    Last Post: 09-29-2005, 02:27 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts