User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 Simple Machines is a forum software and their new 1.1 version has a feature that is causing problems with password management in Firefox. When login forms are submitted, a Javascript function hashes the password (it's called by the onsubmit attribute of the form element). But Firefox doesn't store the typed password correctly, it just stores a lot of *s. On the official SMF forums they said it is a Firefox bug because the program has to store what was in the input field before form submission. Reproducible: Always Steps to Reproduce: 1. Go to a forum running SMF v1.1. 2. Fill in the login form with login and password. 3. Tell Firefox to store the password. 4. Logout. 5. When the login form is automatically filled by the browser, hit submit. Actual Results: An error message saying that the password is incorrect is displayed. Going to Edit -> Preferences -> View saved passwords -> Show passwords reveals that the password hadn't been stored, just a lot of *s. Expected Results: It should have stored what was typed before it's hashed. Here are the hashing function and the login form. <script language="JavaScript" type="text/javascript"><!-- // --><![CDATA[ function hashPassword() { if (typeof(hex_sha1) == "undefined") return; // Are they using an email address? if (document.frmLogin.user.value.indexOf("@") != -1) return; document.frmLogin.hash_passwrd.value = hex_sha1(hex_sha1(document.frmLogin.user.value.toLowerCase() + document.frmLogin.passwrd.value) + "3f4a91bea2c2d3a07de3736d296d5b28"); document.frmLogin.passwrd.value = document.frmLogin.passwrd.value.replace(/./g, "*"); } // ]]></script> <form action="http://www.simplemachines.org/community/index.php?action=login2" name="frmLogin" method="post" style="margin-top: 4ex;" onsubmit="hashPassword();"> <table border="0" width="400" cellspacing="0" cellpadding="4" class="tborder" align="center"> <tr class="titlebg"> <td colspan="2"> <img src="http://www.simplemachines.org/community/Themes/simple/images/icons/login_sm.gif" alt="" align="top" /> Login </td> </tr><tr class="windowbg"> <td width="50%" align="right"><b>Username:</b></td> <td><input type="text" name="user" size="20" value="" /></td> </tr><tr class="windowbg"> <td align="right"><b>Password:</b></td> <td><input type="password" name="passwrd" value="" size="20" /></td> </tr><tr class="windowbg"> <td align="right"><b>Minutes to stay logged in:</b></td> <td><input type="text" name="cookielength" size="4" maxlength="4" value="60" /></td> </tr><tr class="windowbg"> <td align="right"><b>Always stay logged in:</b></td> <td><input type="checkbox" name="cookieneverexp" class="check" onclick="document.frmLogin.cookielength.disabled = this.checked;" /></td> </tr><tr class="windowbg"> <td align="center" colspan="2"><input type="submit" value="Login" style="margin-top: 2ex;" /></td> </tr><tr class="windowbg"> <td align="center" colspan="2" class="smalltext"><a href="http://www.simplemachines.org/community/index.php?action=reminder">Forgot your password?</a><br /><br /></td> </tr> </table> <input type="hidden" name="hash_passwrd" value="" /> </form>

> because the program *has to* store what was in the input field *before* form submission. Carolina, what offiial document defines that "program *has to* store *before* onsubmit event handler scheduling, insted of when submit is executed"? And what does the "program" mean? - JavaScript engine & Browser? User JavaScript program?

Firefox. I didn't read any official documents, I'm just telling what they said.

Challenge authentication via JavaScript is becoming more and more common practice; for example, vBulletin 3 does it as well to my knowledge. If there is an onsubmit function which modifies the value of a password or username field to be stored, it seems logical that the values should be saved before, not after, that function is run. This is because, again logically, one might assume that it will modify it the same way every time - and if you give it the result of the last time, it might change it even differently. That said, SMF does do differently than other software in cases; it replaces the current password with a string of the same length of asterisks (so as not to annoy the user.) Most challenge implementations clear the password instead, which probably simply makes the password manager save nothing. -[Unknown]

Looks like a duplicate of bug 257781.

*** This bug has been marked as a duplicate of 257781 ***