SF.net SVN: postfixadmin:[857] branches/postfixadmin-2.3

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Revision: 857
          http://postfixadmin.svn.sourceforge.net/postfixadmin/?rev=857&view=rev
Author:   christian_boltz
Date:     2010-08-22 12:18:43 +0000 (Sun, 22 Aug 2010)

Log Message:
-----------
login.php, templates/login.php
- SECURITY: attackers could find out if an admin exists (login pre-filled the
  username if "only" a wrong password was entered)
  Thanks to Sebastian Schinzel for pointing this out (via private mail to me).

  TODO for trunk: simplify the login code - use the password from the first
  query's $result or only use the second query that includes the password

Modified Paths:
--------------
    branches/postfixadmin-2.3/login.php
    branches/postfixadmin-2.3/templates/login.php

Modified: branches/postfixadmin-2.3/login.php
===================================================================

--- branches/postfixadmin-2.3/login.php	2010-08-17 18:20:35 UTC (rev 856)
+++ branches/postfixadmin-2.3/login.php	2010-08-22 12:18:43 UTC (rev 857)
@@ -19,7 +19,6 @@
  * Template Variables:
  *
  *  tMessage
- *  tUsername
  *
  * Form POST \ GET Variables:
  *
@@ -65,7 +64,6 @@
         {
             $error = 1;
             $tMessage = '<span class="error_msg">' . $PALANG['pLogin_failed'] . '</span>';
-            $tUsername = htmlentities($fUsername, ENT_QUOTES, 'UTF-8');
         }
     }
     else

Modified: branches/postfixadmin-2.3/templates/login.php
===================================================================
--- branches/postfixadmin-2.3/templates/login.php	2010-08-17 18:20:35 UTC (rev 856)
+++ branches/postfixadmin-2.3/templates/login.php	2010-08-22 12:18:43 UTC (rev 857)
@@ -7,7 +7,7 @@
    </tr>
    <tr>
       <td><?php print $PALANG['pLogin_username'] . ":"; ?></td>
-      <td><input class="flat" type="text" name="fUsername" value="<?php print $tUsername; ?>" /></td>
+      <td><input class="flat" type="text" name="fUsername" value="" /></td>
    </tr>
    <tr>
       <td><?php print $PALANG['pLogin_password'] . ":"; ?></td>


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.


