Closed Bug 324951 Opened 19 years ago Closed 16 years ago

LDAP client retries incorrect stored password many times per second without warning

Categories

(MailNews Core :: LDAP Integration, defect)

Product:
MailNews Core
Component:
LDAP Integration
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: speedytoast, Unassigned)

Details

(Keywords: qawanted, Whiteboard: mail)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 MultiZilla/1.7.9.0a Build Identifier: http://ftp.mozilla.org/pub/mozilla.org/thunderbird/releases/1.5/win32/en-US/ When the LDAP username and password are stored in password manager and the password changes on the LDAP server, When addressing an email, and Thunderbird automatically tries to connect to the LDAP server, it never indicates to the user a problem exists. There is no new password prompt and there are no error messages. What it does is endlessly try to connect to the LDAP server with the incorrect account information until it the process is closed. Again, there is no indication to the user anything is wrong (except not getting addresses from the LDAP server) - in the meantime the LDAP server is effectively getting DOSed. Deleting the stored password via password manager and reconnecting to the LDAP server with correct account info fixes this. Reproducible: Always Steps to Reproduce: 1. Save a username/password for an LDAP server. Connect to it with Thunderbird. 2. Change the password on the LDAP server. 3. Try to connect to the LDAP server again, using the stored info. 4. Do a netstat -b to see Thunderbird constantly connected to the LDAP server. 5. Watch your LDAP server auth logs grow very fast. Actual Results: Silently and repeatedly tries stored incorrect account infomation. Expected Results: I would expect a password prompt everytime a login failure occurs, at minimum, no matter if I'm connecting via LDAP/POP/SMTP/etc. Registering this as a Security problem because of the DOS possibility against LDAP servers.
Version: unspecified → 1.5
Flags: blocking1.8.0.2?
Flags: blocking-thunderbird2?
Keywords: qawanted
clearing bit. dos's are generally not confidential, and we'd rather get help fixing the problem. if someone can set-up netcat to,do the same thing then we're not a useful dos source ...
Assignee: mscott → dmose
Group: security
Component: General → MailNews: LDAP Integration
Product: Thunderbird → Core
QA Contact: general → grylchan
Version: 1.5 → Trunk
Can anyone whose seen this reproduce it in 1.0.x as well?
Assignee: dmose → nobody
QA Contact: grylchan → ldap-integration
unconfirmed bug shouldn't block a release. If this gets confirmed and a patch is forthcoming it can be renominated
Flags: blocking1.8.0.2? → blocking1.8.0.2-
Whiteboard: mail
reporter, do you still see this issue in the latest beta? http://www.mozilla.com/en-US/thunderbird/releases/2.0b1.html
still waiting on feedback from the reporter. beta 2 is out now too: http://www.mozilla.com/en-US/thunderbird/releases/2.0b2.html
Flags: blocking-thunderbird2? → blocking-thunderbird2-
Sorry I've been unable to test this bug for quite some time and probably won't be able to anytime soon.
Product: Core → MailNews Core
WFM, it shows up dialog for new password Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090527 Shredder/3.0b3pre
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.