Able to login to mail with incorrect password.

VERIFIED INVALID

Status

P3
critical
VERIFIED INVALID
19 years ago
14 years ago

People

(Reporter: skasinathan, Assigned: alecf)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

19 years ago
Steps:
1. Try to login to a mail account. In the password dialog type the correct 
password followed by some characters. (say if the password is 'helloworld' type 
'helloworldsomething'). I'm able to login to the account and read msgs.

Tried on POP and IMAP account. 

Build and platform:
2000-07-18-08-M17 linux commercial, yesterday's windows commercial build.

Comment 1

19 years ago
Yikes.  Suresh, what happens if the password you type doesn't start with the 
correct password + additional text?  ie. type:  blahblah

Thanks.  Nominate nsbeta2 due to seriousness of password security.
Keywords: nsbeta2

Comment 2

19 years ago
I doubt there's anything the client can do here. We don't know the users's
password so we can't limit it to the first n characters 'cause we have no idea
what n is! The server determines whether to accept or reject a password response
from the client.

I'd probably mark this as invalid/wontfix?
Keywords: nsbeta2

Comment 3

19 years ago
I stomped on lisa's nsbeta2 nomination by accident. But I don't think it needs
to be nominated anyway. I really don't see a client bug here. 
(Reporter)

Comment 4

19 years ago
this happens only if i type in correct password + something. I get an 'login 
failed' alert if I type somthing else without the correct password.
Keywords: nsbeta2

Comment 5

19 years ago
Ok. I'll remove my nsbeta2 nomination. Does this happen in 4.x, Suresh?
Keywords: nsbeta2
(Assignee)

Comment 6

19 years ago
talked with suresh and bienvenu - this is not a client bug - this is just
exposing the 8-character signifigance of passwords in our mail server...
I'm going to mark invalid because even if this is a bug, it's a bug in the
server, not the client...
Status: NEW → RESOLVED
Last Resolved: 19 years ago
Resolution: --- → INVALID

Comment 7

19 years ago
I think that's what I said earlier in the bug =)....i forgot to mark it invalid
though....shame on me.
(Reporter)

Comment 8

19 years ago
fyi: this happens on 4.x as well.

Comment 9

18 years ago
vrfy invalid
Status: RESOLVED → VERIFIED
Product: Browser → Seamonkey
You need to log in before you can comment on or make changes to this bug.