Home/Support/Support Forum/No HTTPS enforced on forum, no logout button in web admin

No HTTPS enforced on forum, no logout button in web admin

0 votes
I'm a subcontractor doing some development work for one of your customers.

I notice that the login page for your forum (cms.digi.com/support/forum/login?to=) allows authentication over plaintext HTTP (http://cms.digi.com/support/forum/login?to=). An inline login form is presented on every non-authenticated page. Your web server really ought to force upgrading/redirecting all HTTP requests to HTTPS, since plaintext credentials can be transmitted from any forum page. Given how often humans reuse passwords, anybody positioned to capture forum credentials would likely find success in spraying them at a list of Digi devices scraped from Shodan.

Ironically, the XBee Industrial Gateway I'm working on *is* configurable enough to drop support for plain HTTP, but does not have a logout button anywhere I could find on the web administration portal (NOT the "Remote Manager" interface). There does not seem to be a way to terminate one's session. I can't tell if there is a session involved at all or if it's my browser auto-authenticating on every page (some of the code examples present the use of cookies) but the lack of a logout button does not instill confidence that my credentials cannot be re-used when I walk away from a shared terminal.

XBIG Product ID: 0x806f
Firmware Version: 3.2.30.4 xbigw release gw-3.2.30.4 10/28/2019 13:23:07 CDT

Thanks for your consideration.
asked Jan 8 in RF Solutions and XBee by starfish New to the Community (3 points)
recategorized Jan 8 by rmaroun

Please log in or register to answer this question.

...