[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Phpgroupware-tracker] [Bug #3013] Security issue: Fatal Error provides
From: |
nobody |
Subject: |
[Phpgroupware-tracker] [Bug #3013] Security issue: Fatal Error provides link to setup without password. |
Date: |
Mon, 31 Mar 2003 06:37:01 -0500 |
=================== BUG #3013: LATEST MODIFICATIONS ==================
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=3013&group_id=509
Changes by: Ralf Becker <address@hidden>
Date: Mon 03/31/2003 at 13:37 (Europe/Berlin)
What | Removed | Added
---------------------------------------------------------------------------
Status | Open | Closed
=================== BUG #3013: FULL BUG SNAPSHOT ===================
Submitted by: izzyb Project: phpGroupWare
Submitted on: Mon 03/31/2003 at 10:54
Category: API - Setup Bug Group: 0.9.14.002 release
Severity: 5 - Major Priority: High
Resolution: None Assigned to: None
Status: Closed Component Version: None
Platform Version: None Reproducibility: Intermittent
Summary: Security issue: Fatal Error provides link to setup without password.
Original Submission: I'm getting the following error intermittently, sometimes
with a broken link:
Fatal Error: It appears that you have not created the database tables for
phpGroupWare. Click here to run setup.
At this point, I'm not sure the cause, but I'm more concerned with the security
issue it creates. The provided link, when it works, links directly to the
setup III page without prompting for a password. This could leave a site open
to attach or stupid user syndrome. I noticed it when the error came up when I
was logged in as a non-admin user. After hitting re-check my database a few
times, the normal setup screen came up complete with the "uninstall all
applications" button.
Follow-up Comments
*******************
-------------------------------------------------------
Date: Mon 03/31/2003 at 11:00 By: izzyb
Oops, false alarm. I had another browser window open and logged into the setup
III screen. I just reproduced the problem after logging out and it does come
to a password prompt.
It's safe to close this bug report.
CC list is empty
No files currently attached
For detailed info, follow this link:
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=3013&group_id=509