[Vtigercrm-developers] VTIGER 6 rev. 13871 - SEVERE SECURITY ERROR

Prasad prasad at vtiger.com
Wed Jul 3 13:40:04 UTC 2013 

Nabalcom,

Thanks for the alert (we applied the fix) -
this issue cropped in previous testing cycle specially related to PHP crypt
types clash.

Regards,
Prasad
*
*
*Connect with us on: *Twitter <http://twitter.com/vtigercrm> *I*
Facebook<http://www.facebook.com/pages/vtiger/226866697333578?sk=wall>
 *I* Blog <http://blog.vtiger.com/>* I*
Wiki<http://wiki.vtiger.com/index.php/Main_Page>
 *I *Forums  <http://forums.vtiger.com/>*I* Website <http://vtiger.com/>


On Wed, Jul 3, 2013 at 4:31 PM, Nabalcom <info at nablacom.it> wrote:

>
> In User Class (modules/Users/Users.php) into the function doLogin at line
> 381 there is a SEVERE ERROR: the user will be always logged with any
> password. So, if you try to login as admin you can use "admin/any password"
> and the system will accept your login credentials.
> In the following the source code:
>
>                 $query = "SELECT * from $this->table_name where user_name=? AND user_password=? AND status = ?";
>                 $result = $this->db->requirePsSingleResult($query, array($usr_name, $encrypted_password, 'Active'), false);
>                 if (empty($result)) {
>                     return true;
>                 } else {
>                     return true;
>                 }
>                 break;
>
>
>
> The line 381 MUST BE CHANGED in return false;
> --
> _______________________
> ing. Roberto Santacroce
> CEO at Nablacom
> santacroce at nablacom.it
> Tel/Fax +39894456012
> Mobile +393470458824
> Skype: nablacom
> Via G. Accarino, 18 - 84013 - Cava de' Tirreni (SA)
>
> Ai sensi del D.lgs n.196 del 30.06.03 (Codice Privacy) si precisa che le informazioni contenute in questo messaggio sono riservate e ad uso esclusivo del destinatario. Qualora il messaggio in parola Le fosse pervenuto per errore, La preghiamo di eliminarlo senza copiarlo e di non inoltrarlo a terzi, dandocene gentilmente comunicazione. Grazie
>
> This message, for the D.lgs n.196 / 30.06.03 (Privacy Code), may contain confidential and/or privileged information. If you are not the address or authorized to receive this for the address, you must not use, copy, disclose or take any action based on this message or any information herein.
> If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation
>
>
> _______________________________________________
> http://www.vtiger.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20130703/4227f892/attachment.html>

More information about the vtigercrm-developers mailing list