Bug #42813 Passwords in HTTP POST in clear Text using MySql Connector .NET v5.2.3
Submitted: 13 Feb 2009 4:50 Modified: 13 Feb 2009 14:43
Reporter: Marvin Palmer Email Updates:
Status: Closed Impact on me:
None 
Category:Connector / NET Severity:S3 (Non-critical)
Version:5.2.3 OS:Windows
Assigned to: CPU Architecture:Any
Tags: asp:login, Membership Provider

[13 Feb 2009 4:50] Marvin Palmer 
Description:
When using ASP.NET Membership and the asp:login control with MS Sql Server, the password is hashed in the HTTP POST when a user attempts to login.  However, when using MySQL and the .NET Connector v5.2.3, the user's password is transmitted in the HTTP POST in clear text.

I have posted this in more detail as a question on the ASP.NET forums here:
http://forums.asp.net/t/1375208.aspx

and on the MySQL forums here:
http://forums.mysql.com/read.php?38,243823,243823#msg-243823

but have not gotten a satisfactory answer as to how to fix this problem.

It seems to me that this is a security risk that might motivate some developers not to use MySql in production .NET web-based applications with sensitive data in their databases.

How to repeat:
Create an asp.net website and mysql 5.0 db with membership schema (a very detailed walkthough of how I do this is here: http://www.marvinpalmer.com/MarvinPalmer/post/Implement-NET-Membership-and-Roles-using-MyS...).  Add a Login.aspx page with asp:Login control on it.  At this point, I am running Fiddler to examine the HTTP POST messages generated by the site.  I build the site and login using the Login.aspx page.  

On examination in Fiddler of the HTTP POST generated by the Login.aspx page after submitting the login attempt, the password is in plain text, not masked or hashed.  This is different than what happens when using Sql Server, in which case the password is hashed in the HTTP POST.

Suggested fix:
I don't know how to fix this.
[13 Feb 2009 12:57] Tonci Grgin 
Thanks for your report Marvin.

I am not sure if "hashing" actually helps so it would be better to use secure server as described in forum. Also, I think there might be some undocumented stuff going on in the background when using MSSQL, wouldn't be the first time...

Now, what happens when using HTTPS server? Have you tried that?
[13 Feb 2009 13:29] Bogdan Degtyariov 
I do not realize how MSSQL control can do that. Since ASP.NET page has been loaded no Connector/NET code is working unless the form is posted. So, the encryption is supposed to be done on Browser's level (somewhere between typing the password and posting the contents of the form). Does MS SQL Login control have javascript that would do encryption or there is something else besides javascript?
[13 Feb 2009 14:43] Marvin Palmer 
Well, I feel like I am losing my mind.  I have observed the password hashing several times before, but now I can't reproduce it on the example MS Sql Server Login page here:
http://www.palmbeachatpickwick.com/PalmBeach/login.aspx

Thanks for looking at it, anyway.
[13 Feb 2009 17:12] Tonci Grgin 
Marvin, this is what's only possible, nothing else if something fishy isn't going on in background.

Thanks for your interest in MySQL.