Forwarded to devs Plain password in URL

[Geraldo V Vieira]

Username: Geraldo V Vieira

TITLE

Plain password in URL

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk Obsidian Version 18.0.35

PROBLEM DESCRIPTION

Doesn't detect password correctly when the password contains & in the password i.e ec0f&C97sGGhitsy

STEPS TO REPRODUCE

Create a URL to log in the user with & symbol in the password i.e. https://example.com:8443/[email protected]&passwd=ec0f&C97sGGhitsy

ACTUAL RESULT

Only passes ec0f to the password filed and ignores &C97sGGhitsy part of the password

EXPECTED RESULT

It's meant to pass ec0f&C97sGGhitsy into the password field

ANY ADDITIONAL INFORMATION



YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Help with sorting out

 

[alapshin]

. . .

PROBLEM DESCRIPTION

Doesn't detect password correctly when the password contains & in the password i.e ec0f&C97sGGhitsy

STEPS TO REPRODUCE

Create a URL to log in the user with & symbol in the password i.e. https://example.com:8443/[email protected]&passwd=ec0f&C97sGGhitsy

ACTUAL RESULT

Only passes ec0f to the password filed and ignores &C97sGGhitsy part of the password

EXPECTED RESULT

It's meant to pass ec0f&C97sGGhitsy into the password field
. . .
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Help with sorting out

Hello @Geraldo V Vieira,

The mentioned behaviour is related how the browser interprets some symbols, and not directly related to Plesk.
For example:
IP address - 203.0.113.2
User - admin
Password - ABC123&abc
the following URL should be used:

https://203.0.113.2:8443/login_up.php3?login_name=admin&passwd=ABC123%26abc

To 'transform' password to applicable form use encodeURIComponent function in a browser's console:

In your case URL should be the following:
https://example.com:8443/[email protected]&passwd=ec0f%26C97sGGhitsy

 

[Geraldo V Vieira]

Thank you, that helped me get it to work.