Opened 15 years ago

Closed 15 years ago

#197 closed defect (fixed)

Bad connection string in SQL authentication allows bogus users to login

Reported by: rjl Owned by: rjl
Priority: high Milestone: 1.0.0 RC6
Component: PHP scripts Version: 1.0.0 RC6
Severity: major Keywords: sql authentication auth login
Cc:

Description

As reported by James Corteciano and Brian McDonald?, a typo in the database connection string for SQL authentication allows unregistered users to login (e.g. username "--", password "--"). This should not succeed, obviously, and an error should be reported. The failed database connection should also be logged as an error.

Change History (1)

comment:1 Changed 15 years ago by jleaver

  • Resolution set to fixed
  • Status changed from new to closed

Fixed. Changed: $authenticated = (!($email === false)); to:

if (PEAR::isError($email)) {

$authenticated = false;

} else {

$authenticated = (!($email === false));

}

That way, DB::errors that are passed on failure to connect no longer assume that login occured. A Warning message is issued by the DB code, and is sent to the php error mech.

Note: See TracTickets for help on using tickets.