<html>
<head>
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-15">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-text-html" lang="x-western"> <br>
In User Class (modules/Users/Users.php) into the function doLogin
at line 381 there is a SEVERE ERROR: the user will be always
logged with any password. So, if you try to login as admin you can
use "admin/any password" and the system will accept your login
credentials. <br>
In the following the source code:<br>
<pre class="moz-signature" cols="72"> $query = "SELECT * from $this->table_name where user_name=? AND user_password=? AND status = ?";
$result = $this->db->requirePsSingleResult($query, array($usr_name, $encrypted_password, 'Active'), false);
if (empty($result)) {
<font color="#cc0000"> return true;</font>
} else {
return true;
}
break;
The line 381 MUST BE CHANGED in <font color="#cc0000">return false;</font>
--
_______________________
ing. Roberto Santacroce
CEO at Nablacom
<a class="moz-txt-link-abbreviated" href="mailto:santacroce@nablacom.it">santacroce@nablacom.it</a>
Tel/Fax +39894456012
Mobile +393470458824
Skype: nablacom
Via G. Accarino, 18 - 84013 - Cava de' Tirreni (SA)
Ai sensi del D.lgs n.196 del 30.06.03 (Codice Privacy) si precisa che le informazioni contenute in questo messaggio sono riservate e ad uso esclusivo del destinatario. Qualora il messaggio in parola Le fosse pervenuto per errore, La preghiamo di eliminarlo senza copiarlo e di non inoltrarlo a terzi, dandocene gentilmente comunicazione. Grazie
This message, for the D.lgs n.196 / 30.06.03 (Privacy Code), may contain confidential and/or privileged information. If you are not the address or authorized to receive this for the address, you must not use, copy, disclose or take any action based on this message or any information herein.
If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation</pre>
</div>
</body>
</html>