[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Phpgroupware-tracker] [Bug #1171] admin authentication security hole
From: |
nobody |
Subject: |
[Phpgroupware-tracker] [Bug #1171] admin authentication security hole |
Date: |
Thu, 20 Mar 2003 15:40:57 -0500 |
=================== BUG #1171: LATEST MODIFICATIONS ==================
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=1171&group_id=509
Changes by: Dave Hall <address@hidden>
Date: Fri 03/21/03 at 07:40 (Australia/Melbourne)
What | Removed | Added
---------------------------------------------------------------------------
Resolution | None | Fixed
Status | Open | Closed
------------------ Additional Follow-up Comments ----------------------------
This has been corrected in CVS.
To grab a complete update of all fixes:
1) Check to see if you have cvs installed: 'cvs --help'.
1a) If not, install a copy of cvs-cli from your favorite
distro.
2) Then just type:
'cd <your phpgroupware dir>; cvs update -dP'.
You can do step 2 as many times in a day as you wish, and
will always get the most current bug fixes.
Thanks,
=================== BUG #1171: FULL BUG SNAPSHOT ===================
Submitted by: None Project: phpGroupWare
Submitted on: Tue 09/10/02 at 22:33
Category: API - Setup Bug Group: 0.9.14 release
Severity: 7 Priority: Immediate
Resolution: Fixed Assigned to: skwashd
Status: Closed Component Version: None
Platform Version: Other Reproducibility: Every Time
Summary: admin authentication security hole
Original Submission: RE: Authentication for config/setup and header admin
broken
"logout" of either admin screen allows you to hit back button on browser, then
refresh the admin screen and it logs you back in giving full privs without
prompting for password.
Also it doesn't matter that you have two different passwords for the admin
screens. Once logged into either one, you can go to the other without
authenticating by entering the URL.
This is a major security hole.
Follow-up Comments
*******************
-------------------------------------------------------
Date: Fri 03/21/03 at 07:40 By: skwashd
This has been corrected in CVS.
To grab a complete update of all fixes:
1) Check to see if you have cvs installed: 'cvs --help'.
1a) If not, install a copy of cvs-cli from your favorite
distro.
2) Then just type:
'cd <your phpgroupware dir>; cvs update -dP'.
You can do step 2 as many times in a day as you wish, and
will always get the most current bug fixes.
Thanks,
-------------------------------------------------------
Date: Thu 03/20/03 at 15:03 By: skwashd
I have fixed this ... just awaiting test results
CC list is empty
No files currently attached
For detailed info, follow this link:
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=1171&group_id=509