217625 - POP3 passwords are stored in Password Manager although forbidden

Status: VERIFIED FIXED

(MailNews Core :: Security, defect)

Description

[Karsten Düsterloh]

Mozilla 1.5b release:
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5b) Gecko/20030827

Steps to reproduce:
- add new POP3 account that needs username/password
- try to get new mail: MailNews asks for the password
- enter password (but do *not* mark the checkbox for saving!)
- open Password Manager: an entry for this account has been added!

Furthermore, everytime you hit CTRL-T etc. to check for new mail, another
identical entry is added to the PM.

After closing Mozilla and starting up again, the entries are still visible in
the PM, but getting mail requires re-entering the password. 
This means, that Mozilla is even *claiming* to not having the password stored,
but does otherwise!

Marking as security problem.

Comment 1

[Karsten Düsterloh]

I forgot to mention:
This does not occur with news or imap server requiring authentification!

Comment 2

[chris hofmann]

adding mscott and bienvenu

Comment 3

[David :Bienvenu]

taking, I'm sure that's my fault

Comment 4

[David :Bienvenu]

Attachment: proposed fix

we only need to store the password if we're password protecting the local cache
- otherwise, the password mgr/prompter handles this.

Comment 5

[(not reading, please use seth@sspitzer.org instead)]

Comment on attachment 130563 [details] [diff] [review]
proposed fix

r/a=sspitzer

Comment 6

[David :Bienvenu]

fixed

Comment 7

[Christopher Aillon (sabbatical, not receiving bugmail)]

Opening.

Comment 8

[David Epstein]

Verified with 1.7 RC3 Gecko/20040608. not appearing in the psswd mgr.