[Trac import]
Reported by: pnormand
Original date: Monday, 09 September 2013 12:31

Even if the phpreport website is using https, passing the password in clear text as a URL parameter to loginService.php presents a huge security risk

• password can be leaked from Apache logs
• if client uses a proxy the password can also be logged and leaked from those logs

Usually the password is at the very least hashed before going through the network and it's not passed as a URL parameter.