OS Name/Version: Ubuntu 22.04
Product Name/Version: AMP Release “Phobos”
v2.6.2, built 29/05/2025 16:05
Problem Description:
Passwords for the management WebUi are sent from the client browser to the host server in plain text.
Steps to reproduce:
- Open the login page for AMP server
- Open browser developer console and navigate to the network tab.
- Log into the AMP server console.
- In the Developer Console, locate a line labeled ‘login’, and click on it to inspect it.
- On the ‘payload’ tab you will see the username and password used to login in plain text.
Actions taken to resolve so far:
- Updated to latest version
Notes:
I am only using AMP on my local LAN, and for that reason, I have been too lazy to setup SSL. Even though, I was quite suppressed to see that the credentials are sent in plain text in a http POST request.