successful login with other users' password
Status: Beta
Brought to you by:
cormander
Menu
▾
▴
Logged In: YES
user_id=1562170
Originator: YES
I've done some more testing. This is actualy what's happening:
I'm trying to log in with a nonexisting user. For example, username: asdf, password: asdf. Ravencore returns an error "Unable to load page, no uid from session". Now if I press "logout" or try to go to the initial page, control panel wouldn't let me. I would always be redirected to "Unable to load page, no uid from session" error page.
So, I close my browser and reopen it again. Now I can go to the initial page. If I enter an existing username and _ANY_ (e.g. asdfghjk) password, ravencore will let me in. With admin user this trick doesn't work though.
I'm not nearly a programmer, so I could be wrong, but I guess this issue has something to do with session handling. If I log in as 'admin', on the "system/sessions" page the sessions of all nonexistent users I've tried to login with are listed there. Once I delete all sessions, once again ravencore doesn't let me login with existing login and incorrect password.
I've installed the rpm ravencore-0.3.2-1.noarch.rpm from ravencore.com download page. I have a centos5 and centos4.5 systems where I can reproduce this issue. I've been browsing internet to find if all ravencore panels are vulnurable. And they are not. I could find just a couple where I've got "Unable to load page, no uid from session". The rest of them, including demo.ravencore.com, just redirected me to main page with "Authentication failure" message.
Logged In: YES
user_id=1562170
Originator: YES
The problem has disappeared after changing var/lib/includes/auth.pm
- return 1 if %row;
+ return 1 if $result->rows;