Closed
Bug 365238
Opened 19 years ago
Closed 6 years ago
changing outgoing mailserver with auth still sends same password
Categories
(Thunderbird :: Security, defect)
Thunderbird
Security
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 1315662
People
(Reporter: brian, Unassigned)
References
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1
Build Identifier: version 1.5.0.9 (20061207)
I have not confirmed this fully yet since I don't have two different servers to test, but I'm pretty sure if you change from one SMTP server with auth to another and have already logged in the same password is sent to the new server.
Reproducible: Always
Steps to Reproduce:
1. Setup an outgoing server with authentication
2. Login to said server (i.e. send an email)
3. Change the server name to a different server that also supports auth and has the same username and password (for sake of testing)
4. Send an email
Actual Results:
If I am correct the email is sent. This is an obvious security risk since anybody on your computer can change outgoing server to their own, send a test email, and have your password.
Expected Results:
Prompted for a login once anything in that outgoing server setting has changed
Again, I don't have the means to properly test this but it's a big enough security risk that it warrants a bug anyway IMO. If someone could confirm/deny this I would appreciate it.
|
||
Comment 1•19 years ago
|
||
What makes you think that would happen?
And if someone has access to your computer there are far easier ways to get your password from file (if it's stored there).
If it is stored there, if you use a master password isn't everything encrypted on the disk?
|
||
Comment 3•17 years ago
|
||
I can come pretty close to confirming this with 2.0.0.16 on Linux.
In my case, I used the same server, but tried both a different DNS name that pointed to the same IP, and a DNS name that pointed to a different IP. In both cases I got a certificate error, but when I okayed that, it sent the mail without prompting for a new password.
It will take me some server-configuration wrangling before I can test this on two completely different servers, but I would have expected that if it was going to complain, it would've done so before this point.
|
||
Comment 4•17 years ago
|
||
I can confirm this on Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090123 Shredder/3.0b2pre
It surprised me because for imap/pop etc we do drop the account password if we change username/hostname.
Assignee: dveditz → nobody
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows XP → All
Hardware: x86 → All
|
||
Comment 5•17 years ago
|
||
SMTP server is defined as;
> mail.smtpserver.smtpN.hostname = xxx.yyy.zzz
> mail.smtpserver.smtpN.username = aaa.bbb.ccc
Password manager entry corresponds to it is;
> Site Username
> smtp://aaa.bbb.ccc@xxx.yyy.zzz <not specified>
If Server_Name/User_Name of SMTP is changed, SMTP definition is changed to;
> mail.smtpserver.smtpN.hostname = xxx.yyy.zzz.Changed
> mail.smtpserver.smtpN.username = aaa.bbb.ccc.Changed
Password manager entry corresponds to new combination becomes;
> Site Username
> smtp://aaa.bbb.ccc.Changed@xxx.yyy.zzz.Changed <not specified>
Password entry(and needless to say "saved password" too) for old hostname/username combination will usually never be used.
But, old entry of smtp://aaa.bbb.ccc@xxx.yyy.zzz doesn't seem to be deleted.
So, as you say, someone who is permitted to use your PC can login to the SMTP server without knowing password, by defining SMTP with User_Name=aaa.bbb.ccc and Server_Name=xxx.yyy.zzz, unless you manually delete the old password manager entry.
> It surprised me because for imap/pop etc we do drop the account password if we change username/hostname.
When IMAP/POP3, used password manager entry is not changed by Server_Name/User_Name change once account is defined initially.
Server definition:
> mail.server.serverP.hostname = xxx.yyy.zzz
> mail.server.serverP.userName = aaa.bbb.ccc
Password manager entry corresponds to it;
> Site Username
> imap://aaa.bbb.ccc@xxx.yyy.zzz <not specified> (IMAP)
> mailbox://aaa.bbb.ccc@xxx.yyy.zzz <not specified> (POP3)
When user changes Server_Name/User_Name at Server Settings panel, following entries are added.
> mail.server.serverP.realhostname = xxx.yyy.zzz.Changed
> mail.server.serverP.realuserName = aaa.bbb.ccc.Changed
Login to Server_Name=xxx.yyy.zzz.Changed is executed using User_Name=aaa.bbb.ccc.Changed, but used password manager entry is not changed.
I think it's the reason why saved password data is already cleared upon Server_Name/User_Name change of IMAP/POP3.
|
||
Updated•17 years ago
|
Flags: wanted-thunderbird3?
|
|
||
Updated•13 years ago
|
Flags: wanted-thunderbird3?
(In reply to Wayne Mery (:wsmwk) from comment #6)
similar to bug 1288988
No, I think this is more bug 1315662.
If we properly drop the password on hostname/username change in a SMTP server (as said in comment 4), there should be no way we send it to another server by mistake.
Depends on: 1315662
Flags: needinfo?(acelists)
|
||
Comment 8•6 years ago
|
||
Thanks aceman. So this issue should be fixed.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
|
|
||
Updated•6 years ago
|
Resolution: FIXED → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•