In the settings form where Simpletest asks for optional HTTP authentication credentials, the password field is of Form API type 'textfield'. It should use 'password' instead.
(Looking through the CVS logs, it appears it did this at one point, but then the code was removed and put back into core once or twice, and somewhere along the way it got converted to a textfield...)
This isn't really a security issue, since I assume that if the site is behind HTTP authentication, the user would have already had to know these credentials in order to be able to see this administrative page in the first place. However, I'm marking this as a critical bug, because it still seems like really bad practice to display the password in plain text on the screen.
|#13||simpletest-http-auth-credentials-799932-5.patch||2.49 KB||Stefan Freudenberg|
PASSED: [[SimpleTest]]: [MySQL] 33,661 pass(es). View
PASSED: [[SimpleTest]]: [MySQL] 31,747 pass(es). View
PASSED: [[SimpleTest]]: [MySQL] 20,361 pass(es). View