Closed Bug 272926 Opened 20 years ago Closed 19 years ago

bypasses basic authentication login dialog

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: post, Assigned: bugzilla)

Details

(Whiteboard: [sg:nse]) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

I've setup basic authentication for an intranet webserver - when I access the
protected pages with IE or Mozilla a login dialog pops up as expected.
But, if I use Firefox I can advance without any login, just as on any other
normal, unprotected pages ...

Reproducible: Always
Steps to Reproduce:
1.
2.
3.




Note: the server is Jetty-4.2.20 (i.e. this might be just as well an unknown bug
in the server)
I did some additional testing, which led me to the conclusion, that _this is not
a security issue_. I'm still not clear about, whether this is a firefox and/or a
jetty bug or a feature (well known and accepted way of handling this situation):

I tested basic authentication with firefox on a completely different webserver
just now - it worked fine there.
And I tested accessing the protected pages on jetty with firefox-rc, from a
different machine: basic authentication worked fine as well.

Summing up:
localhost.IE      <--basic-auth--> localhost.jetty  : expected-login-dialog
localhost.firefox <--basic-auth--> localhost.jetty  : no-dialog (autologin)
other1.firefox-rc <--basic-auth--> localhost.jetty  : expected-login-dialog
other2.mozilla    <--basic-auth--> localhost.jetty  : expected-login-dialog
other1.IE         <--basic-auth--> localhost.jetty  : expected-login-dialog
localhost.firefox <--basic-auth--> other3.webserver : expected-login-dialog

Is it perhaps possible, that both firefox and jetty came to agree that they
share the same host and thus refrain from authentication (like this:
firefox:page-request -> jetty:who-are-you-BASICally ->
firefox:hey-I-share-this-local-host-with-you -> jetty:alright-alright ...
jetty:page-response), since with IE I must login on localhost.

Anyway, for now I'll post a link to this issue here on the jetty list and leave
it like this. And yes, please enlighten me, if I'm just being ignorant about
standards.


reporter: if this is not a security bug, are you ok with opening it?
Clearing security flag.
Group: security
Whiteboard: [sg:nse]
This is an automated message, with ID "auto-resolve01".

This bug has had no comments for a long time. Statistically, we have found that
bug reports that have not been confirmed by a second user after three months are
highly unlikely to be the source of a fix to the code.

While your input is very important to us, our resources are limited and so we
are asking for your help in focussing our efforts. If you can still reproduce
this problem in the latest version of the product (see below for how to obtain a
copy) or, for feature requests, if it's not present in the latest version and
you still believe we should implement it, please visit the URL of this bug
(given at the top of this mail) and add a comment to that effect, giving more
reproduction information if you have it.

If it is not a problem any longer, you need take no action. If this bug is not
changed in any way in the next two weeks, it will be automatically resolved.
Thank you for your help in this matter.

The latest beta releases can be obtained from:
Firefox:     http://www.mozilla.org/projects/firefox/
Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
Seamonkey:   http://www.mozilla.org/projects/seamonkey/

- retested with firefox-1.0.6 and same webserver-version
- not reproducable, i.e. something that changed between v1.0 and v1.0.6 in
firefox fixed this
just to be sure, can you also test using 1.5beta from the provided link?
yes. verified, that firefox-v1.5beta1 is OK.
thanks, marking this worksforme then.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.