[Phpgroupware-tracker] [Bug #1171] admin authentication security hole

phpgroupware-tracker

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Phpgroupware-tracker] [Bug #1171] admin authentication security hole

From:	nobody
Subject:	[Phpgroupware-tracker] [Bug #1171] admin authentication security hole
Date:	Wed, 19 Mar 2003 23:03:14 -0500

=================== BUG #1171: LATEST MODIFICATIONS ==================
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=1171&group_id=509

Changes by: Dave Hall <address@hidden>
Date: Thu 03/20/03 at 15:03 (Australia/Melbourne)

            What     | Removed                   | Added
---------------------------------------------------------------------------
         Assigned to | seek3r                    | skwashd
             Summary | admin authentication broken | admin authentication 
security hole


------------------ Additional Follow-up Comments ----------------------------
I have fixed this ... just awaiting test results



=================== BUG #1171: FULL BUG SNAPSHOT ===================


Submitted by: None                    Project: phpGroupWare                 
Submitted on: Tue 09/10/02 at 22:33
Category:  API - Setup                Bug Group:  0.9.14 release            
Severity:  7                          Priority:  Immediate                  
Resolution:  None                     Assigned to:  skwashd                 
Status:  Open                         Component Version:  None              
Platform Version:  Other              Reproducibility:  Every Time          

Summary:  admin authentication security hole

Original Submission:  RE: Authentication for config/setup and header admin 
broken

"logout" of either admin screen allows you to hit back button on browser, then 
refresh the admin screen and it logs you back in giving full privs without 
prompting for password.

Also it doesn't matter that you have two different passwords for the admin 
screens.  Once logged into either one, you can go to the other without 
authenticating by entering the URL.

This is a major security hole.  

Follow-up Comments
*******************

-------------------------------------------------------
Date: Thu 03/20/03 at 15:03         By: skwashd
I have fixed this ... just awaiting test results


CC list is empty


No files currently attached


For detailed info, follow this link:
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=1171&group_id=509

[Prev in Thread]

Current Thread

[Next in Thread]

[Phpgroupware-tracker] [Bug #1171] admin authentication security hole, nobody <=
- [Phpgroupware-tracker] [Bug #1171] admin authentication security hole, nobody, 2003/03/20

Prev by Date: [Phpgroupware-tracker] [Bug #2199] Registering as a new user onto your website, page error (php)
Next by Date: [Phpgroupware-tracker] [Bug #1169] admin authentication and caching problems
Previous by thread: [Phpgroupware-tracker] [Bug #2199] Registering as a new user onto your website, page error (php)
Next by thread: [Phpgroupware-tracker] [Bug #1171] admin authentication security hole
Index(es):
- Date
- Thread