Security risk: bugzilla passwords show up in stdout

VERIFIED FIXED in M13

Status

SeaMonkey
General
P3
normal
VERIFIED FIXED
19 years ago
13 years ago

People

(Reporter: Claudius Gayle, Assigned: Kevin McCluskey (gone))

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Updated

19 years ago
Target Milestone: M1
(Reporter)

Description

19 years ago
t
h
i
s

i
s

a

t
e
s
t
Target Milestone: M1 → M11
marking m11.

cc'ing davidm and morse.  they should know more about this than I do.


I've see this before though.  as I type my mail news password, the characters
show up in the console.
checked in a "fix".

I don't see the "one character per line" behaviour, but I do see the
"mPassword text is XXXXX" behaviour, which is scary too.

jfrancis and buster:  I just checked in a change to
mozilla/editor/base/nsTextEditRules.cpp
so that the code that prints out "mPassword text is XXXXX" is wrapped with
#ifdef DEBUG_jfrancis and #ifdef DEBUG_buster, depending on who wrote the code.

marking fixed.
(Reporter)

Updated

19 years ago
Status: RESOLVED → REOPENED
(Reporter)

Comment 3

19 years ago
the one character per line thing has nothing to do with this bug really.
That was some wierd text field widget thing. I still see a problem with the
1999090708 Linux build. If I go to the Bugzilla main page and select 'forget
current login' and then 'change password' I'm presented with the standard bugzilla
login page. If I type in my name and password and click 'Login' the following is
printed to the console.
Bugzilla_login=claudius%40netscape.com&Bugzilla_password=XXXXXX&GoAheadAndLogin=
login

where of course XXXXXX is my password in clear text.
Status: REOPENED → ASSIGNED
claudius, the problem that you describe is caused by someone in the code doing a
printf of the url, probably for some debugging reason.

I'll try to hunt it down and wrap it with some #ifdef DEBUG_<author> lines.

accepting.

Updated

19 years ago
Resolution: FIXED → ---

Comment 5

19 years ago
Clearing Fixed resolution due to reopen.

Updated

18 years ago
Target Milestone: M11 → M10

Comment 6

18 years ago
Move milestone stoppers to M10
Status: ASSIGNED → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → WORKSFORME
I don't think this is still happening.  marking works for me.
(Reporter)

Updated

18 years ago
Status: RESOLVED → REOPENED
(Reporter)

Comment 8

18 years ago
still happens exactly as I stated in my comments from 09/07 which seems
different from what you fixed prior to that.
Target Milestone: M10 → M12
moving to m12.

Updated

18 years ago
QA Contact: leger → claudius
Resolution: WORKSFORME → ---

Comment 10

18 years ago
Clearing WORKSFORME resolution due to Reopen.

Updated

18 years ago
Assignee: sspitzer → don
Status: REOPENED → NEW
Summary: passwords show up in stdout → bugzilla passwords show up in stdout

Comment 11

18 years ago
Seems like we're not talking about mail/news passwords here; reassigning to don.

Comment 12

18 years ago
Move to M13.

Updated

18 years ago
Assignee: don → danm
Summary: bugzilla passwords show up in stdout → Security risk: bugzilla passwords show up in stdout

Comment 13

18 years ago
Isn't this a generic dialog problem?
danm.  Reassign to me if you're swamped, I can look at this too.

Updated

18 years ago
Assignee: danm → karnaze

Updated

18 years ago
Target Milestone: M13

Comment 14

18 years ago
When I follow Claudius' instructions from 09/07/99, I see form submission debug output,
not generic dialog output. Reassigning for consideration to karnaze, who owns the printfs
in question (DebugPrint and its use in nsFormFrame::OnSubmit).

Updated

18 years ago
Assignee: karnaze → kmcclusk

Comment 15

18 years ago
Reassigning to Kevin.
(Assignee)

Updated

18 years ago
Status: NEW → ASSIGNED
Target Milestone: M13
(Assignee)

Updated

18 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 18 years ago18 years ago
Resolution: --- → FIXED
(Assignee)

Comment 16

18 years ago
Fixed in 1/6/2000 2:07PM build. I commented out the lines that where printing
the contents of form elements when the form was submitted.
(Reporter)

Updated

18 years ago
Status: RESOLVED → VERIFIED
(Reporter)

Comment 17

18 years ago
VERIFIED fixed with 20000111 builds
Product: Browser → Seamonkey
You need to log in before you can comment on or make changes to this bug.