Ticket #197 (closed defect: fixed)

Opened 4 years ago

Last modified 4 years ago

Bad connection string in SQL authentication allows bogus users to login

Reported by: rjl Owned by: rjl
Priority: high Milestone: 1.0.0 RC6
Component: PHP scripts Version: 1.0.0 RC6
Severity: major Keywords: sql authentication auth login
Cc:

Description

As reported by James Corteciano and Brian McDonald?, a typo in the database connection string for SQL authentication allows unregistered users to login (e.g. username "--", password "--"). This should not succeed, obviously, and an error should be reported. The failed database connection should also be logged as an error.

Change History

Changed 4 years ago by jleaver

  • status changed from new to closed
  • resolution set to fixed

Fixed. Changed: $authenticated = (!($email === false)); to:

if (PEAR::isError($email)) {

$authenticated = false;

} else {

$authenticated = (!($email === false));

}

That way, DB::errors that are passed on failure to connect no longer assume that login occured. A Warning message is issued by the DB code, and is sent to the php error mech.

Note: See TracTickets for help on using tickets.