Since pictures are worth a thousand words :
Before you ask : no, this is in no way related to the recent breach, nor is it in any significant way related to the recovery work. Obviously when people get burned people get paranoid, and when people get paranoid people start reading things, such as the source of various scripts. Whereby they find things.
For instance wwwacctform, which lives behind https exclusively (because https helps) and uses complex session tokenization as displayed in cpsess3677009734 (because session tokenization also helps) proceeds to cavalierly declare the form as
<form action="/cpsess3677009734/scripts5/wwwacct" name="mainform" onsubmit="checkacctform();">
As we all know (don't we ?), the default browser behaviour is GETi, so forms that don't specify otherwise get to send passwords as url encoded strings.
Now picture this : cpanel/whm is still the most prevalent web hosting package. I propose that simply going about sniffing wireless traffic in a more densely populated urban area for an hour or two should result in at least one password/username combo through this method. Funny how security works, isn't it.
———- Teh DTD is unambiguous,
method (GET|POST) GET -- HTTP method used to submit the form--
[↩]