Closed Bug 371714 Opened 17 years ago Closed 17 years ago

Password manager doesn't remember the password for Hattrick.org

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Version:
1.8 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: mika.viitanen, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2

I updated Firefox from v1.5 to v.2.0.0.2. Then I went to www.hattrick.org and noticed that the browser doesn't remember the password anymore. I checked the list of password manager and saw that www.hattrick.org is in the list. I deleted it from the list and I was asked if I want to save the password, I answered yes. still next time I go to the page the login name and password fields are empty. Everything works for the www76.hattrick.org, www77.hattrick.org and so on.

Reproducible: Always

Steps to Reproduce:
1. go to www.hattrick.org
2. save password
3. re-open www.hattrick.org
Actual Results:  
password field is empty

Expected Results:  
login name nad password should be automatically filled in.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2

Confirmed partially at least. When I first register on http://www.hattrick.org with a trunk build and then restart, I see the user name and password. When I run a branch build with the same profile, I still see the user name and password, so I don't see this trouble.

But, when I go with a new blank profile without any passwords to http://www.hattrick.org it is not possible to save the password for some reason.
Status: UNCONFIRMED → NEW
Depends on: 371525
Ever confirmed: true
Blocks: CVE-2006-6077
Severity: normal → major
Version: unspecified → 2.0 Branch
Sorry, user name and password are saved in the password manager but not filled in. When you click in the box you see the user name but that's from the formhistory.dat.
So, www.hattrick.org returns a form that submits to a random www##.hattrick.org server. Probably some kind of load balancing? I get a different ## each time I load the page... www89, www80, www90, www78, etc.

As a result of bug 360493, the Password Manager now looks at the form action URL to make sure it's not going somewhere unexpected (ie, a different server than the first time the form waas submitted). It can't know that "www99.site.com" is also safe to submit to, but "evilserver.site.com "is not.
Seconding dolske's concern here - if we were to basically wildcard the hostname check, then sites like dreamhost.com, where every account (some honest, some shady, no doubt) gets a subdomain, are reopened to a vulnerability we just tried to close.

I guess the argument could be made that this more limited version is worth it to spare the heartache on sites like this, but really, hattrick has lots of ways to make this easier on themselves (roundrobin DNS instead of randomly generated www##s for example) and I don't think we want to be reintroducing attack vectors.
The problem is not the multiple hattrick hosts. I have saved the password for every hattrick host separately but still it seems that when I go to back to that specific host the browser doesn't fill in the username and password. Now when I have used the new version longer, I have noticed some other minor problems with saved passwords with other sites too. For example on the web mail of my ISP the username is automatically filled in but the password is not. If I select the username field and then press tabulator to move the cursor to the password field then the password is also filled in. I don't know if this is related to the original problem... I was thinking also that is some conversion done for the password file while browser is updated? If done, then maybe this can corrupt the file...
(In reply to comment #5)
> The problem is not the multiple hattrick hosts. I have saved the password for
> every hattrick host separately but still it seems that when I go to back to
> that specific host the browser doesn't fill in the username and password.

That would be bug 371525.

> problems with saved passwords with other sites too. For example on the web mail
> of my ISP the username is automatically filled in but the password is not. If I
> select the username field and then press tabulator to move the cursor to the
> password field then the password is also filled in.

Please file a separate bug with more information.

I'm marking this bug WONTFIX, per comment 3 and 4.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → WONTFIX
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.