I've been able to login to the administration panel with other user's password. So to say, once I'm a valid control panel user, I can use my password to login to anyone's account.
Logged In: YES
I've done some more testing. This is actualy what's happening:
I'm trying to log in with a nonexisting user. For example, username: asdf, password: asdf. Ravencore returns an error "Unable to load page, no uid from session". Now if I press "logout" or try to go to the initial page, control panel wouldn't let me. I would always be redirected to "Unable to load page, no uid from session" error page.
So, I close my browser and reopen it again. Now I can go to the initial page. If I enter an existing username and _ANY_ (e.g. asdfghjk) password, ravencore will let me in. With admin user this trick doesn't work though.
I'm not nearly a programmer, so I could be wrong, but I guess this issue has something to do with session handling. If I log in as 'admin', on the "system/sessions" page the sessions of all nonexistent users I've tried to login with are listed there. Once I delete all sessions, once again ravencore doesn't let me login with existing login and incorrect password.
I've installed the rpm ravencore-0.3.2-1.noarch.rpm from ravencore.com download page. I have a centos5 and centos4.5 systems where I can reproduce this issue. I've been browsing internet to find if all ravencore panels are vulnurable. And they are not. I could find just a couple where I've got "Unable to load page, no uid from session". The rest of them, including demo.ravencore.com, just redirected me to main page with "Authentication failure" message.
The problem has disappeared after changing var/lib/includes/auth.pm
- return 1 if %row;
+ return 1 if $result->rows;