Closed
Bug 463388
Opened 16 years ago
Closed 15 years ago
when working on the phpbb forums ACP, WHen trying to either Edit, or create a new forums, Firefox places my saved username and password where it shouldn't
Categories
(Toolkit :: Password Manager, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 499223
People
(Reporter: jmcquadesr, Unassigned)
Details
Attachments
(1 file)
|
32.53 KB,
application/octet-stream
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b1) Gecko/20081007 Firefox/3.1b1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b1) Gecko/20081007 Firefox/3.1b1 Upon editing one of my forums using the new firefox, I noticed that the section in phpbb "image" line had my username, and the "password for forums section" had my password.. The combo is my actually login information for the board. Also, upon trying to remove my name from the "phpbb image" field once I click away It put's my name back in there. As for the password field, I just remove the password and it stays out, Til I hit edit again. Reproducible: Always Steps to Reproduce: 1.Go in phpbb admin user panel. 2.attempt to edit a forum or create a forum 3.The saved username for the phpbb forum will appear in the "image field" and "password for forum field" Actual Results: My username and password reappear in the fields of image and forum password Expected Results: nothing should have been placed on the lines automatically. I feel this may be a security issue, where your password may become compromised with it auto filling in the wrong fields, and the user not being able to remove it from the field. A hacker maybe able to compromise this by a cookie. "possible"
|
||
Updated•16 years ago
|
Component: General → Password Manager
Product: Firefox → Toolkit
QA Contact: general → password.manager
|
||
Comment 1•16 years ago
|
||
I don't have an installation of PHPBB handy, though I suspect the form fields are named ambiguously on the page you mentioned, Joseph. Would you mind attaching a copy of the full HTML of the page in question so we can investigate?
|
||
Comment 2•16 years ago
|
||
The password manager fills in based on the domain and field names, so if the site uses the same field names on different pages for different passwords that can cause confusion. If you have two different username/passwords saved, however, then it will wait for you to start entering one to decide which password will be restored. Even if you don't actually have a second account you can fill in the password form with a fake one and save it, and then Firefox won't automatically replay on that site. If you've got two different passwords for the same username for different purposes on the same site then Firefox's password manager can't really handle that. It's probably better to open up this bug report so site designers can be warned about reusing fieldnames for different privilege levels on the same site. I don't think this is an exploitable problem in itself.
Group: core-security
when I am trying to use Firefox the image field will hold my saved username, When I try and remove my username from the image display field it just put's it right back. once I click ANYWHERE on the page. I had to remove all saved passwords in order to use Firefox beta while working in the phpbb forums acp.
If needed I can bring up a test forums for you guys for testing out bugs or what not, to help out. Just let me know. Maybe having it up and running and you guys testing it that way may help in the search for the answer.... I'm just trying to be as helpful as possible..
|
||
Comment 5•15 years ago
|
||
See 478678 - this is not hard to reproduce and will happen any time two inputs are paired where the second is type=password but served from the same domain.
|
||
Comment 6•15 years ago
|
||
Confirmed Still happening in phpbb 3.0.5
|
||
Updated•15 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•