Closed Bug 212617 Opened 21 years ago Closed 18 years ago

Remember password does not work if javascript trigger modifies password onsubmit

Categories

(SeaMonkey :: Passwords & Permissions, defect)

Product:
SeaMonkey
Component:
Passwords & Permissions
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: iamsure, Assigned: mwu)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030612
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030612

Mozilla should remember the password in forms as-of onsubmit, not post onsubmit:

To improve security for non-https connections, we have implemented a md5
javascript login feature. Upon submit of the form, the password entered is
changed to the md5sum of the password entered, and sent. 

Remember password then remembers the md5sum, not the value in the form as-of
onsubmit.

A different implementation, that takes the entered password, md5sum's it, and
puts it into a second variable, and then clears the password value has similar
problems - Mozilla remembers the cleared password value (the changed value
post-onsubmit).

The only alternative left is to leave the password in its original form, which
results in transmitting the password in cleartext.. a problem we were trying to
prevent.

Reproducible: Always

Steps to Reproduce:
1. Sign up for player account
2. Type in username and password (have it remember password)
3. Notice password gets converted to md5sum
4. Logout
5. Relogin

Actual Results:  
Password field is auto-filled with md5sum

Expected Results:  
Password field should be auto-filled with pre-onsubmit password.
Product: Browser → Seamonkey
Please note that this often-seen-on-the-web procedure is totally useless if your
goal is to prevent sniffing the password on the wire. Any bad guy would of
course sniff the md5sum and retransmit it in order to gain unauthorized access,
without the need of knowing the original password. Essentially, the md5sum *is*
the cleartext password. The only use of such procedure is to keep a server admin
from accidentally seeing a password that a client might also use for other purposes.

For more security, use at least HTTP digest authentication as described in RFC
2617. You might also consider basic auth over HTTPS.

No, this is wrong. A carefully-written JS would include a timestamp to prevent replay attacks.
HTTPS connections would require a certificate, which such scripts work around. (Self-signed certs are 
not trusted and issue a warning which would be bad in some situations.)
Just a thought, but this bug looks like a duplicate of bug #235765.
*** Bug 235765 has been marked as a duplicate of this bug. ***
Blocks: 235765
bug 235765 is not a dupe, Firefox has its own password manager implementation.
Assignee: dveditz → nobody
Depends on: 257781
Assignee: nobody → michael.wu
This bug should have been fixed by the non-passwordmanager specific changes in bug 257781. (at the same time, it has caused the regression in bug 343182)
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.