Operational Defect Database
BugZero found this defect 3362 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA10H000000g3FeSAI
Qualys WAS scan incorrectly reports vulnerability “Password is present in HTTP traffic unrelated to the login”
Last update date:
6/29/2016
Affected products:
Firebox M200
Firebox M300
Firebox M270
Firebox M370
Firebox M470
Firebox M570
Firebox M670
Firebox M290
Firebox M390
Firebox M400
Firebox M500
Firebox M440
Affected releases:
All
Fireware
11.x
11.10.x
11.10
11.9.x
11.9
11.9.1
11.9.3
11.9.4
11.9.5
11.9.6
Fixed releases:
All
Description:
Issue
Qualys Web Application Scanning incorrectly reports that the WatchGuard Authentication portal and Mobile VPN with SSL client download portals have the vulnerability “Password is present in HTTP traffic unrelated to the login” (Qualys Vulnerability ID 150052), which is treated as a HIGH priority vulnerability. This vulnerability report is a false positive. This vulnerability report is triggered by a CSS comment block in the web page’s source containing the word “password”, not by actual password data being transmitted in plaintext.
Workaround/Solution
No workaround is necessary, as this is not a vulnerability.Firmware versions 11.10.1 and later no longer present this issue.
