Problem with password manager and admin accounts using phpBB 2.04's administration panel

RESOLVED INVALID

Status

()

--
minor
RESOLVED INVALID
15 years ago
15 years ago

People

(Reporter: tlgjaymz, Assigned: bugzilla)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

15 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5a) Gecko/20030714 Mozilla Firebird/0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5a) Gecko/20030714 Mozilla Firebird/0.6

If you use the password manager to save an admin account's username and password
on a phpBB based forum, you'll discover that when using the administration panel
to change another user's account, it'll change their username and the first
password line to your own username and password.

Reproducible: Always

Steps to Reproduce:
1. Login to a phpBB forum where you have administrator access.
2. Allow Firebird to save your username/password details.
3. Select 'Administration Panel' at the bottom of the screen.
4. Select 'Management' under the 'User Admin' section at the bottom of the menu.
5. Type in the name of, or search for, a user account other than the one you are
using.

Actual Results:  
The person's username will be replaced with your one, and the first password
entry will be automatically filled in. However, the second password line (for
confirmation) will remain blank.

Expected Results:  
The browser should not automatically fill in a username/password box if the page
defines a default username (for when you are editing another user's account).

Comment 1

15 years ago
James, I have a feeling that this is invalid for the following reason that you
will need to confirm since you apparently have access:

The passwords are filled in by looking at the field name.  The HTML code (look
at View Source) of both pages probably has something like:
<input type="password" name="password">  If both name attributes are the same on
the administrator login and the user change forms then this is INVALID and is an
issue you should submit to the phpBB forum people and tell why it should use
different form control names.  If not the same field name, then this may indeed
be a valid bug.

If you would take a look at the code on the two pages, and report the findings,
we can move your bug through the bug fixing process.
(Reporter)

Comment 2

15 years ago
In that case, it appears the problem is with phpBB, and not really an issue with
Firebird after all. The source for the admin_users.php page (where this problem
occurs) does indeed use the values "username" and "password" to identify the
user's name and an entry to type the original password, ie:

&lt;input class="post" type="text" name="username" size="35" maxlength="40"
value="Kathleen" /&gt;

&lt;input class="post" type="password" name="password" size="35" maxlength="100"
value="" /&gt;

For now, the work around is to simply not remember passwords for that particular
site (which is probably the smartest thing to do anyways, if you're an admin for
a board).
Status: UNCONFIRMED → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.