[Vtigercrm-developers] VTIGER 6 rev. 13871 - SEVERE SECURITY ERROR

Nabalcom info at nablacom.it
Wed Jul 3 11:01:29 UTC 2013


In User Class (modules/Users/Users.php) into the function doLogin at 
line 381 there is a SEVERE ERROR: the user will be always logged with 
any password. So, if you try to login as admin you can use "admin/any 
password" and the system will accept your login credentials.
In the following the source code:

                 $query = "SELECT * from $this->table_name where user_name=? AND user_password=? AND status = ?";
                 $result = $this->db->requirePsSingleResult($query, array($usr_name, $encrypted_password, 'Active'), false);
                 if (empty($result)) {
                      return true;
                 } else {
                     return true;
                 }
                 break;



The line 381 MUST BE CHANGED inreturn false;
-- 
_______________________
ing. Roberto Santacroce
CEO at Nablacom

santacroce at nablacom.it
Tel/Fax +39894456012
Mobile +393470458824
Skype: nablacom
Via G. Accarino, 18 - 84013 - Cava de' Tirreni (SA)

Ai sensi del D.lgs n.196 del 30.06.03 (Codice Privacy) si precisa che le informazioni contenute in questo messaggio sono riservate e ad uso esclusivo del destinatario. Qualora il messaggio in parola Le fosse pervenuto per errore, La preghiamo di eliminarlo senza copiarlo e di non inoltrarlo a terzi, dandocene gentilmente comunicazione. Grazie

This message, for the D.lgs n.196 / 30.06.03 (Privacy Code), may contain confidential and/or privileged information. If you are not the address or authorized to receive this for the address, you must not use, copy, disclose or take any action based on this message or any information herein.
If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20130703/d02df769/attachment.html>


More information about the vtigercrm-developers mailing list