Closed
Bug 579756
Opened 15 years ago
Closed 15 years ago
Some forums have admin passwords set as POP passwords
Categories
(support.mozilla.org :: Forum, task, P1)
support.mozilla.org
Forum
Tracking
(Not tracked)
VERIFIED
FIXED
1.5.6
People
(Reporter: tanner, Assigned: jsocol)
References
()
Details
Attachments
(1 file)
|
559 bytes,
patch
|
paulc
:
review+
|
Details | Diff | Splinter Review |
In the off-topic forum, or any other forum that mods have access to they can gain access to the owner of the forum's password (In this case djst's). You can see the password using Firebug. Would it be possible to remove this from mods, and make it only accessible to admins?
|
||
Comment 1•15 years ago
|
||
I have found this issue the following way:
1. Go to http://support.mozilla.com/tiki-forums.php
2. Click the Edit link on any of the forums. => https://support.mozilla.com/tiki-admin_forums.php?locale=en-US&forumId=4
3. Next to 'Add messages from this email to the forum' you can find full login data (username and password).
4. You can decrypt the login asterisks using Firebug.
|
Reporter | |
Comment 2•15 years ago
|
||
You can also do it by just viewing the source in Firefox (Ctrl+U)
|
|
||
Updated•15 years ago
|
Severity: major → blocker
|
|
||
Comment 3•15 years ago
|
||
I suppose that finding qualifies for at least one Firefox t-shirt for each me and Tanner ;)
|
Assignee | |
Comment 4•15 years ago
|
||
Since we're about to stop using the forum component of Tiki (btw: WTF? why... it doesn... who wou..... GAH) we can be pretty destructive in our fix if that's what it takes.
(In reply to comment #0)
> Would it be possible to remove this from mods,
> and make it only accessible to admins?
Admins don't need to see anyone's password, either. Ever. Why is it even stored in plain text somewhere, I thought we cleared that out!
Assignee: nobody → paulc
Priority: -- → P1
Target Milestone: --- → 1.5.6
|
||
Comment 5•15 years ago
|
||
If we are going to stop using the tiki forum component soon cant we simply remove the user/pass from the forum admin page and save the setup? If we can that would save needing a patch and is a simple 2 minute fix to remove plain text passwords. As far as I can see the only forum admin pages mods can view are for the offtopic forum (djst's password) and the Firefox Home forum (Jsocol's password) so this isnt a widespread problem.
|
|
Assignee | |
Comment 6•15 years ago
|
||
I don't see why that wouldn't need a patch. Something is storing the password and putting it there, neither of those things should happen.
|
|
||
Comment 7•15 years ago
|
||
(In reply to comment #6)
> I don't see why that wouldn't need a patch. Something is storing the password
> and putting it there, neither of those things should happen.
In my theory:
I think that tikiwiki is storing the value of the username and password field as it does with all of the values on that site. Maybe that's intended behaviour.
|
|
Assignee | |
Comment 8•15 years ago
|
||
Digging into this a bit, looks like an annoying combination of Firefox password manager and Tiki Wiki:
When you open the forum admin, if the inbound POP username and password aren't set, Firefox sees it as a username/password field and fills in your SUMO credentials for the inbound POP fields. It needs to store the inbound POP password in plaintext because it's going to send that password to the email server.
Long story short:
1) We can safely clear those fields.
2) The only useful patch is changing the password field to a text input element so Firefox doesn't try to fill it in--but it's probably not worth it given the timeline for replacing the rest of the tiki forums.
Assignee: paulc → james
|
|
Assignee | |
Comment 9•15 years ago
|
||
I've cleared the fields on all the forums on support-stage. It looks fine to me and looking through the code I don't see anything that would cause issues. This is the only forum on stage that still uses the old forums code:
https://support.mozilla.com/en-US/forum/1
Please help me test it a bit and make sure nothing is broken and then we'll update production as well.
|
|
Assignee | |
Comment 10•15 years ago
|
||
This patch switches the type on the form widget from password to text, so that Firefox doesn't try to fill it in with your SUMO credentials.
Since (a) the inbound POP is a feature we don't use, (b) there's essentially zero security benefit of making a field a password if you're going to prefill it, and (c) we will very shortly be done with the Tiki forums completely, I don't think this change negatively affects anything. On the other hand, actually landing it is kind of an afterthought.
Attachment #458364 -
Flags: review?(paulc)
Attachment #458364 -
Flags: feedback?
|
|
||
Comment 11•15 years ago
|
||
Comment on attachment 458364 [details] [diff] [review]
switches type="password" to type="text" to stop fooling Firefox
This does make Firefox stop filling in the user/pass values (after clearing the set values).
I'm guessing you could check in the database to see if any other passwords are stored for other forums. Since this is going away soon, it's probably not worth the time.
Attachment #458364 -
Flags: review?(paulc) → review+
|
|
Assignee | |
Comment 12•15 years ago
|
||
r70740 on trunk.
I don't think we need an emergency push for this, though. I'll just go clean out the data from prod now, since no one has reported any problems on stage.
|
|
Assignee | |
Comment 13•15 years ago
|
||
Removed all the user/password data from the inbound POP fields on prod. Please let me know _immediately_ (as in call or text if you have to) if anything weird crops up on the Firefox or Firefox Home forums.
If you have to edit any forum settings, make sure to clear out the inbound POP credentials.
Also, djstsys, I, and whoever "np" is should change our passwords.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Summary: Mods can see password of forum owner → Some forums have admin passwords set as POP passwords
|
|
||
Comment 14•15 years ago
|
||
Verified fixed. Account details have gone from the admin pages and the forums seem to be working fine (ive seen both new topics and replys). The fix works on staging and the forums work as expected.
Status: RESOLVED → VERIFIED
|
|
||
Comment 15•15 years ago
|
||
np = Jason Barnabe, once the forum administrator. I don't think he's very active anymore, so I'll revoke his admin privs until he speaks up.
|
|
||
Comment 16•15 years ago
|
||
I meant I'll change his password to something temporary until I hear from him. His last login was September 2008.
James, when you wrote djstsys, did you mean djst? I can't find a username called djstsys (I renamed it a long time ago to djst). Anyway, I've changed my password for djst.
|
|
Assignee | |
Comment 17•15 years ago
|
||
We have something like 18 administrator accounts on production--we probably should trim that down, especially if he's been inactive for nearly two years.
The username was "djstsys". Probably filled in long ago on accident.
|
|
Assignee | |
Updated•15 years ago
|
Attachment #458364 -
Flags: feedback?
|
||
Comment 18•9 years ago
|
||
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•