POP3 passwords are stored in Password Manager although forbidden

VERIFIED FIXED

Status

MailNews Core
Security
--
critical
VERIFIED FIXED
14 years ago
9 years ago

People

(Reporter: Karsten Düsterloh, Assigned: Bienvenu)

Tracking

Trunk
x86
Windows 2000

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

1.40 KB, patch
(not reading, please use seth@sspitzer.org instead)
: review+
(not reading, please use seth@sspitzer.org instead)
: approval1.5+
Details | Diff | Splinter Review
(Reporter)

Description

14 years ago
Mozilla 1.5b release:
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5b) Gecko/20030827

Steps to reproduce:
- add new POP3 account that needs username/password
- try to get new mail: MailNews asks for the password
- enter password (but do *not* mark the checkbox for saving!)
- open Password Manager: an entry for this account has been added!

Furthermore, everytime you hit CTRL-T etc. to check for new mail, another
identical entry is added to the PM.

After closing Mozilla and starting up again, the entries are still visible in
the PM, but getting mail requires re-entering the password. 
This means, that Mozilla is even *claiming* to not having the password stored,
but does otherwise!

Marking as security problem.
(Reporter)

Comment 1

14 years ago
I forgot to mention:
This does not occur with news or imap server requiring authentification!

Comment 2

14 years ago
adding mscott and bienvenu
(Assignee)

Comment 3

14 years ago
taking, I'm sure that's my fault
Assignee: sspitzer → bienvenu
(Assignee)

Comment 4

14 years ago
Created attachment 130563 [details] [diff] [review]
proposed fix

we only need to store the password if we're password protecting the local cache
- otherwise, the password mgr/prompter handles this.
(Assignee)

Updated

14 years ago
Attachment #130563 - Flags: superreview?(scott)
Comment on attachment 130563 [details] [diff] [review]
proposed fix

r/a=sspitzer
Attachment #130563 - Flags: review+
Attachment #130563 - Flags: approval1.5+
(Assignee)

Comment 6

14 years ago
fixed
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → FIXED
Opening.
Group: security

Updated

13 years ago
Attachment #130563 - Flags: superreview?(mscott)

Comment 8

13 years ago
Verified with 1.7 RC3 Gecko/20040608. not appearing in the psswd mgr.
Status: RESOLVED → VERIFIED
Product: MailNews → Core
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.