Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#53 successful login with other users' password

open-works-for-me
nobody
None
5
2007-07-27
2007-07-25
facha
No

I've been able to login to the administration panel with other user's password. So to say, once I'm a valid control panel user, I can use my password to login to anyone's account.

Discussion

  • facha
    facha
    2007-07-26

    Logged In: YES
    user_id=1562170
    Originator: YES

    I've done some more testing. This is actualy what's happening:

    I'm trying to log in with a nonexisting user. For example, username: asdf, password: asdf. Ravencore returns an error "Unable to load page, no uid from session". Now if I press "logout" or try to go to the initial page, control panel wouldn't let me. I would always be redirected to "Unable to load page, no uid from session" error page.

    So, I close my browser and reopen it again. Now I can go to the initial page. If I enter an existing username and _ANY_ (e.g. asdfghjk) password, ravencore will let me in. With admin user this trick doesn't work though.

    I'm not nearly a programmer, so I could be wrong, but I guess this issue has something to do with session handling. If I log in as 'admin', on the "system/sessions" page the sessions of all nonexistent users I've tried to login with are listed there. Once I delete all sessions, once again ravencore doesn't let me login with existing login and incorrect password.

    I've installed the rpm ravencore-0.3.2-1.noarch.rpm from ravencore.com download page. I have a centos5 and centos4.5 systems where I can reproduce this issue. I've been browsing internet to find if all ravencore panels are vulnurable. And they are not. I could find just a couple where I've got "Unable to load page, no uid from session". The rest of them, including demo.ravencore.com, just redirected me to main page with "Authentication failure" message.

     
  • facha
    facha
    2007-07-27

    Logged In: YES
    user_id=1562170
    Originator: YES

    The problem has disappeared after changing var/lib/includes/auth.pm

    - return 1 if %row;
    + return 1 if $result->rows;

     
  • facha
    facha
    2007-07-27

    • status: open --> open-works-for-me