| Anonymous | Login | Signup for a new account | 21-11-09 09:57 GMT |
| Main | My View | View Issues | Change Log | Roadmap | Docs |
| Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Print ] | |||||||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | |||||||
| 0014252 | [phplist] Authentication System | minor | always | 24-04-08 02:15 | 28-04-08 13:28 | |||||||
| Reporter | jhorst | View Status | public | |||||||||
| Assigned To | ||||||||||||
| Priority | normal | Resolution | open | |||||||||
| Status | new | Product Version | 2.10.5 | |||||||||
| Summary | 0014252: Login with password in cookie fails | |||||||||||
| Description |
When trying to login to PHPList, it refused to recognize my password, even though what I typed in matched the password in the database. Finally, I had the authorization function dump to the browser the arguments passed to it. That's when I found that it was using a password from a cookie from another page on my site. The cookie variable was also named "password", but it was encrypted, so the two didn't match. The reason this happened was because the form data was called using $_REQUEST instead of $_POST. Lines 175 to 181 of admin/index.php currently read as follows: if ((!isset($_SESSION["adminloggedin"]) || !$_SESSION["adminloggedin"]) && isset($_REQUEST["login"]) && isset($_REQUEST["password"])) { $loginresult = $GLOBALS["admin_auth"]->validateLogin($_REQUEST["login"],$_REQUEST["password"]); if (!$loginresult[0]) { $_SESSION["adminloggedin"] = ""; $_SESSION["logindetails"] = ""; $page = "login"; logEvent(sprintf($GLOBALS['I18N']->get('invalid login from %s, tried logging in as %s'),$_SERVER['REMOTE_ADDR'],$_REQUEST["login"])); They should be altered to: if ((!isset($_SESSION["adminloggedin"]) || !$_SESSION["adminloggedin"]) && isset($_POST["login"]) && isset($_POST["password"])) { $loginresult = $GLOBALS["admin_auth"]->validateLogin($_POST["login"],$_POST["password"]); if (!$loginresult[0]) { $_SESSION["adminloggedin"] = ""; $_SESSION["logindetails"] = ""; $page = "login"; logEvent(sprintf($GLOBALS['I18N']->get('invalid login from %s, tried logging in as %s'),$_SERVER['REMOTE_ADDR'],$_POST["login"])); Then the login should work fine. This also should be fixed for security reasons. In other words, if you happen to have a cookie from your phpList-using site that contains "login" and "password" variables, and they are the same as the phpList login info, it wouldn't matter what you typed into the login boxes -- the cookie information would log you in. |
|||||||||||
| Additional Information |
System details: * phplist version: 2.10.5 * PHP version: 5.2.5 * Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 * Webserver: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8g DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 * Website: www.jehovahjirehfarm.com/maillist * Mysql Info: 5.0.45-community-log * PHP Modules: o zip o libxml o xsl o xmlwriter o xmlrpc o dom o xmlreader o xml o tokenizer o tidy o session o pcre o SimpleXML o sockets o soap o SPL o standard o Reflection o pspell o posix o pgsql o mysqli o mysql o mime_magic o mhash o mcrypt o mbstring o json o imap o iconv o hash o gettext o gd o ftp o filter o exif o date o curl o ctype o calendar o bz2 o bcmath o zlib o openssl o cgi-fcgi o Zend Optimizer |
|||||||||||
| Tags | No tags attached. | |||||||||||
| Attached Files | ||||||||||||
|
|
||||||||||||
 Relationships |
|
|
Notes |
|
|
(0045733) julian (reporter) 24-04-08 12:56 |
This a very interesting issue, but we do need to have $_REQUEST instead of $_POST at this instance, in order to keep $_GET running appropriately |
|
(0045894) jhorst (reporter) 26-04-08 02:46 |
What about a simple if() statement that checks $_SERVER['REQUEST_METHOD'] and then uses $_GET[] or $_POST[] as needed? |
