292262 - Multiple passwords in HTTP basic authentication will not be transmitted correctly

Status: RESOLVED INCOMPLETE

(Firefox :: Security, defect)

Description

[Jörg Prante]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

In the HTTP basic authentication dialog, Firefox will send the correct password
only at first time. If the first challenge fails, the HTTP server will prompt
for athetnication again. When entering different credentials, they are messed
up. The second password given is padded by the first, parts of the password of
the first try will be send to the server again. The user will not notice the
problem. Thie bug is evident if the second password is shorter than the first.

Reproducible: Always

Steps to Reproduce:
1. Select a HTTP server with HTTP basic authentication, and enable debugging of
username and password credentials coming from clients
2. Open Firefox and visit the server. Enter invalid credentials with a long
password. The server will challenge again.
3. Enter (maybe correct) credentials with a shorter password than before. The
authentication fails.

Actual Results:  
Authentication is not possible without restarting Firefox if the first challenge
failed.

Expected Results:  
Firefox should always send the entered credentials to the server.

Here is a log of Firefox connecting to Tomcat 5.5.4. 
The client sends username "a" and password "1234567890", which fails, followed
by a second try, username "b" and passwort "c". The second password "c" is
padded by "234567890".

28.04.2005 21:37:24 DEBUG [http-9090-Processor25] [localhost].[/] - Returned
username "a"
28.04.2005 21:37:24 DEBUG [http-9090-Processor25] [localhost].[/] - Returned
password "1234567890"
28.04.2005 21:37:38 DEBUG [http-9090-Processor25] [localhost].[/] - Returned
username "b"
28.04.2005 21:37:38 DEBUG [http-9090-Processor25] [localhost].[/] - Returned
password "c234567890"

Comment 1

[Daniel Veditz [:dveditz]]

I don't see this on a quick test against an http server I happen to have that
requires auth. Will test more later.

You could run a log and see if anything shows up:
http://www.mozilla.org/projects/netlib/http/http-debugging.html

Comment 2

[Nikolas 'Atrus' Coukouma]

I haven't been able to reproduce this bug in 1.0.4 with a simple test page[1].

The log is good and powerful, but I find most people are more comfortable with
the Live HTTP Headers extension[2].

[1] http://dent.student.umd.edu/~atrus/auth_test/
[2] http://livehttpheaders.mozdev.org/

Comment 3

[Christian :Biesinger (don't email me, ping me on IRC)]

the log shows much more information. it is therefore more helpful in analyzing bugs.

Comment 4

[RNicoletto]

Is this bug still reproducible?

Comment 5

[Tyler Downer [He/Him]]

This bug was reported on Firefox 2.x or older, which is no longer supported and will not be receiving any more updates. I strongly suggest that you update to Firefox 3.6.3 or later, update your plugins (flash, adobe, etc.), and retest in a new profile. If you still see the issue with the updated Firefox, please post here. Otherwise, please close as RESOLVED > WORKSFORME
http://www.mozilla.com
http://support.mozilla.com/kb/Managing+profiles
http://support.mozilla.com/kb/Safe+mode

Comment 6

[Tyler Downer [He/Him]]

No reply, INCOMPLETE. Please retest with Firefox 3.6.3 or later and a new profile (http://support.mozilla.com/kb/Managing+profiles). If you continue to see this issue with the newest firefox and a new profile, then please comment on this bug.

Comment 7

[Christopher W. Curtis]

Suggest related to bug 137852 and/or bug 201620.