Open Source Network Blog

Jisse Reitsma

Jisse Reitsma is co-founder of Jira ICT, wrote a book on Joomla! Templates, teaches many courses and programs in Joomla!, Magento and Drupal. Authors profile

Modern browsers have a neat little feature to remember the login credentials for a specific site. But do you know when and where these credentials are used? You might save the username and password for usage with form A. But what if the browser also uses it to fill in form B?

An example: You're browsing to the Joomla! Administrator login-page and as soon as you login, Firefox shows you an extra browserbar asking you if you would like to save the login. You say yes because filling in the same username and password every time is boring.

Ofcourse you have thought already about the security aspect of this, but you're working from home and nobody but your family has access to your home computer. Saving your password is pretty safe - so it seems.

Now, Firefox has stored your username and password not only for the login-form, but for the entire site. That's very usefull, because - if you use a different loginform - Firefox will still autocomplete the form with your stored login credentials.

Important passwords in the Joomla! configuration

Now, browse to the Joomla! Global Configuration and navigate to the Server tab. You will see another form with an option to fill in an username and password. Firefox will probably have reckognized this as a login form, so your username and password have been inserted.

But actually we're not looking at the Joomla! login credentials, but at the Joomla! FTP credentials - something completely different! The normal login credentials are used to login as a Joomla! user. The FTP credentials are used in case you need the Joomla! FTP layer to have write-access in your hosting environment.

Once you save these settings, the Joomla! configuration will be stored in a plain-text file called configuration.php. If you open up the file you will see that the variables "ftp_user" and "ftp_password" show you your super-secret Joomla! credentials.

This is a big security risk. Anybody with access to this file (which should be just a very small amount of people) can read the credentials which were only supposed for one person.

Messing up the stored data

A stranger example is a form with some kind of password-field and just above it a completely different field - let's say an image-field. Once you open the form, Firefox will try to insert the password in the password-field.

Firefox will assume the input-field above it is the field to insert the username. If the form is submitted, you suddenly have stored an image named after your username.

Ofcourse the form should be checked and if there is an image, it should be checked if it really exists. But actually it is the browser who is to blame. It inserts a password and username in a place where it shouldn't.

Solution 1: Don't remember anything

The first and obvious solution to this problem is to never save passwords within the browser. Disable the feature in total.

Within Firefox you can disable this in your Preferences under the tab Security.

Solution 2: Always enter something

Another solution would be to always enter an username and password in every form even if you don't need to.

Take the Joomla! Global Configuration as an example: If you don't use the Joomla! FTP layer, you don't need a FTP username and FTP password. But entering fake data anyway (username "fake", password "fake"), will bypass the security problem described here.

Solution 3: Call your browser manufacturor

The third solution is not really a solution: Blame the browser manufacturor. You trust the browser to remember the password. The browser then starts using the password for the entire site, but actually what you expect is that the password is only saved for that specific loginform and not the entire site.

Ofcourse calling up Microsoft or Mozilla to tell them their browser has a bad feature is not the best solution.

It's the perfect example of security conflicting with ease of use.