45774 - Able to login to mail with incorrect password.

Status: VERIFIED INVALID

(SeaMonkey :: MailNews: Account Configuration, defect, P3)

Description

[Suresh]

Steps:
1. Try to login to a mail account. In the password dialog type the correct 
password followed by some characters. (say if the password is 'helloworld' type 
'helloworldsomething'). I'm able to login to the account and read msgs.

Tried on POP and IMAP account. 

Build and platform:
2000-07-18-08-M17 linux commercial, yesterday's windows commercial build.

Comment 1

[lchiang]

Yikes.  Suresh, what happens if the password you type doesn't start with the 
correct password + additional text?  ie. type:  blahblah

Thanks.  Nominate nsbeta2 due to seriousness of password security.

Comment 2

[Scott MacGregor]

I doubt there's anything the client can do here. We don't know the users's
password so we can't limit it to the first n characters 'cause we have no idea
what n is! The server determines whether to accept or reject a password response
from the client.

I'd probably mark this as invalid/wontfix?

Comment 3

[Scott MacGregor]

I stomped on lisa's nsbeta2 nomination by accident. But I don't think it needs
to be nominated anyway. I really don't see a client bug here. 

Comment 4

[Suresh]

this happens only if i type in correct password + something. I get an 'login 
failed' alert if I type somthing else without the correct password.

Comment 5

[lchiang]

Ok. I'll remove my nsbeta2 nomination. Does this happen in 4.x, Suresh?

Comment 6

[Alec Flett]

talked with suresh and bienvenu - this is not a client bug - this is just
exposing the 8-character signifigance of passwords in our mail server...
I'm going to mark invalid because even if this is a bug, it's a bug in the
server, not the client...

Comment 7

[Scott MacGregor]

I think that's what I said earlier in the bug =)....i forgot to mark it invalid
though....shame on me.

Comment 8

[Suresh]

fyi: this happens on 4.x as well.

Comment 9

[Blake Ross]

vrfy invalid