phpgroupware-tracker
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Phpgroupware-tracker] [Bug #1171] admin authentication security hole

From: nobody
Subject: [Phpgroupware-tracker] [Bug #1171] admin authentication security hole
Date: Thu, 20 Mar 2003 15:40:57 -0500 
=================== BUG #1171: LATEST MODIFICATIONS ==================
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=1171&group_id=509

Changes by: Dave Hall <address@hidden>
Date: Fri 03/21/03 at 07:40 (Australia/Melbourne)

            What     | Removed                   | Added
---------------------------------------------------------------------------
          Resolution | None                      | Fixed
              Status | Open                      | Closed


------------------ Additional Follow-up Comments ----------------------------
This has been corrected in CVS.

To grab a complete update of all fixes:

1)  Check to see if you have cvs installed: 'cvs --help'.
1a) If not, install a copy of cvs-cli from your favorite 
distro.

2)  Then just type:
    'cd <your phpgroupware dir>; cvs update -dP'.

You can do step 2 as many times in a day as you wish, and 
will always get the most current bug fixes.

Thanks,




=================== BUG #1171: FULL BUG SNAPSHOT ===================


Submitted by: None                    Project: phpGroupWare                 
Submitted on: Tue 09/10/02 at 22:33
Category:  API - Setup                Bug Group:  0.9.14 release            
Severity:  7                          Priority:  Immediate                  
Resolution:  Fixed                    Assigned to:  skwashd                 
Status:  Closed                       Component Version:  None              
Platform Version:  Other              Reproducibility:  Every Time          

Summary:  admin authentication security hole

Original Submission:  RE: Authentication for config/setup and header admin 
broken

"logout" of either admin screen allows you to hit back button on browser, then 
refresh the admin screen and it logs you back in giving full privs without 
prompting for password.

Also it doesn't matter that you have two different passwords for the admin 
screens.  Once logged into either one, you can go to the other without 
authenticating by entering the URL.

This is a major security hole.  

Follow-up Comments
*******************

-------------------------------------------------------
Date: Fri 03/21/03 at 07:40         By: skwashd
This has been corrected in CVS.

To grab a complete update of all fixes:

1)  Check to see if you have cvs installed: 'cvs --help'.
1a) If not, install a copy of cvs-cli from your favorite 
distro.

2)  Then just type:
    'cd <your phpgroupware dir>; cvs update -dP'.

You can do step 2 as many times in a day as you wish, and 
will always get the most current bug fixes.

Thanks,


-------------------------------------------------------
Date: Thu 03/20/03 at 15:03         By: skwashd
I have fixed this ... just awaiting test results


CC list is empty


No files currently attached


For detailed info, follow this link:
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=1171&group_id=509
reply via email to
[Prev in Thread] Current Thread [Next in Thread]