Thunderbird add-ons installation administrator Risk




8 years ago
8 years ago


(Reporter: emb7374, Unassigned)


Windows Vista

Firefox Tracking Flags

(Not tracked)




8 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv: Gecko/20100914 Firefox/3.6.10 (.NET CLR 3.5.30729)
Build Identifier: 

asks've found the Thunderbird when it is add-ons installed manually and detei.xpi in another part of the user for administrator password. Terminating Thunderbird and not one has given password and tried to install datei2.xpi in the same folder open in Administrator mode, in my opinion a great danger. 

Reproducible: Always


8 years ago
Version: unspecified → 3.1
Can you explain exactly what you are trying install, into where, and how your are trying to install it in step by step instructions? I'm sorry but your description does not make any sense to me.

Comment 2

8 years ago
My true proceed Sun My system consists of three users (Admin, Me and my wife). After I installed Thunderbird, I installed German Dictionary and because I've already installed for my wife, I opened the folder where the file german_dictionary-2.0.1 fx + tb + sm + fn.xpi is with admin rights. When I tried to file w__rterbuch_deutsch__de-unterst__tzt de___hunspell-20100720-Installer to-fx + tb + sm + fn.xpi which was in the same folder
dialogue is opened in the same folder with the same right.

Google translated from German

Eduard Buller
ieks the german translatipon doesn't make much more sense. Adding some german speakers to figure out the what and whys.
Eduard: schreib bitte auf Deutsch, was passiert ist. Ich übersetz es dann.

Comment 5

8 years ago
I've wrote Eduard yesterday to his email address in german. He today replyed me. Now I will try to understand and reproduce his problem. Than I can tell you STR.

Comment 6

8 years ago
OK, I think I have understand what his problem is. But somebody with Windows Vista needs to reproduce it. I have a Mac and his described procedure doesn't work in that way on my Mac.

He told me the following, he is on Windows Vista SP2 64bit, Thunderbird version is 3.1.4. His system has an admin account and two user accounts (in his explanation "User 1" and "User 2").

He installed Thunderbird new on a fresh system. First he logged in as User 2 and downloaded the german dictionary Add-On (into C:\Users\User2\Downloads). I don't know why, but he downloaded two german dictionary Add-Ons (in his explanation named as "Datei 1" and "Datei 2"). Than he installed both Add-Ons for User 2.
After that he configured Thunderbird for User 1. For this he was still logged in as User 2, he used the same Add-Ons from C:\Users\User2\Downloads (this doesn't work on my Mac, you have to be logged in to that account you are trying to install Add-Ons. So maybe this feature is Vista specific).
He installed it via: Thunderbird -->  Tools --> Add-Ons --> Install... Than he selected the Add-On "Datei 1" from C:\Users\User2\Downloads. He got a prompt to enter his admin password. And now his problem. He now tried the same thing with "Datei 2", but "Datei 2" installed without any admin password dialog box. He told me you can do this with any user. First time you install an Add-On in this way you get prompted for your admin password and than you don't see the prompt anymore if you try to install a second Add-On. He says TB or Vista stores his admin password, so anything can now be installed with admin rights (without a new prompt).
I don't know how you can configure Thunderbird for one user while being logged in as another, at least not easily anyway. I suspect he was logged in as User 1 and trying to install the XPI files that were in User 2's directory. There could be a permissions problem there but I don't believe that Thunderbird or any Mozilla app has handling to ask for authentication for files, this would be more likely an OS (or maybe some other file control system installed on his computer) asking for authentication. It is then likely that it is just remembering that authentication for a period of time (perhaps measured on the clock or perhaps until application/computer restart) which is why it isn't asking again.

I don't really know Vista's file access controls that well so I'm not sure if that sort of thing is present in the OS by default. Rob is this something you are aware of?

Comment 8

8 years ago
(In reply to comment #7)
> I don't know how you can configure Thunderbird for one user while being logged
> in as another, at least not easily anyway. I suspect he was logged in as User 1
> and trying to install the XPI files that were in User 2's directory.

Yes, this was also a bit unclear to me. I've asked him about that and he told me, first he was logged in as User2 and configured TB for User2. Than he was logged in as User1 and configured TB for User1, but with the files from User2. And than he've seen the issue he is concerned about.
OK, this makes much more sense now. :-) I've tested this on a Mac with multiple accounts, but on a Mac you are not able to access the Download folder from another user. So for the STR you need a PC (with Vista).

STR (derived from emails with Eduard, not testet):
1. Get a PC with Windows Vista and multiple accounts
2. Log in as User 1, download two Add-Ons into the Users download folder (C:\Users\User1\Downloads)
3. Log out as User 1 and log in as User 2
4. Install Thunderbird (3.1.4) for User 2 and install the first Add-On from the Download folder from User 1
--> You should see a prompt for your admin password
5. Install the second Add-On
--> Now you don't see a admin password prompt anymore
Component: Security → Add-ons Manager
Product: Thunderbird → Toolkit
QA Contact: thunderbird → add-ons.manager
Version: 3.1 → Trunk
As Dave has been already mentioned in comment 7 any password request will be initiated by Windows itself through the file open dialog. It's not part of Firefox. Passwords are cached for a given amount of time. Given the steps from Eduard he is doing those installs right after each other. That's the reason why no other password request is triggered.
Last Resolved: 8 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.