So it's not a security issue in joomla you are thinking about, it is that an email password is saved?

um NO... I do not use / specify any login information for SMTP email as my server allows PHP to send mail out directly. Global configuration page gets my JOOMLA USER NAME and JOOMLA PASSWORD automatically filled in and is saved into the configuration.php as plain text.

I do not understand why this is happening as the input fields are not named the same as login fields, so browsers shouldn't autocomplete those fields, but I assure you it is happening.

• note I noticed this on Joomla 2.5.9 and upgraded to 2.5.11 after a recent threat allowed a hacker to upload a web shell. The hacker had access to the whole cPanel account so I'm sure they viewed the configuration.php files

I'm going to ask what seems like a stupid question, but it'll help me think a little bit more. Is this behavior reproducible on other sites and using other browsers?

I have noticed it on several different versions/installations of Joomla... 1.5 as well as 2.5.. my browser of choice is Google Chrome but I believe I developed some of these sites before I switched over from Firefox. I am still going through all my sites and looking at configuration files.

I noticed the same behavior several times - a pretty easy fix would be to stop browsers to fill in the credentials by adding the autocomplete=off attribute to those fields.

Browsers are indeed offering autocomplete on a lot more fields now
That siolution makes sense @SniperSister would you have the time to submit a PR

Doublechecked a few minutes ago: this has already been adressed in the html5 form attributes GSOC project and will be fixed in the next release.

Great!

Could you do a pull for the 2.5 branch then to ensure a solution is available for those users? The GSoC project only covers 3.2.

Done! #2282

As @SniperSister has pointed out that this is being handled elswehere with the GSOC commit and he has done a seperate PR for J2.5 I am closing this issue