[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Phpgroupware-tracker] [Bug #1171] admin authentication broken
From: |
nobody |
Subject: |
[Phpgroupware-tracker] [Bug #1171] admin authentication broken |
Date: |
Tue, 10 Sep 2002 19:57:14 -0400 |
=================== BUG #1171: LATEST MODIFICATIONS ==================
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=1171&group_id=509
Changes by: Dave Hall <address@hidden>
Date: 2002-Sep-11 09:57 (Australia/Melbourne)
What | Removed | Added
---------------------------------------------------------------------------
Category | API - Admin | API - Setup
Assigned to | None | seek3r
=================== BUG #1171: FULL BUG SNAPSHOT ===================
Submitted by: None Project: phpGroupWare
Submitted on: 2002-Sep-10 22:33
Category: API - Setup Bug Group: 0.9.14 release
Severity: 5 - Major Priority: Immediate
Resolution: None Assigned to: seek3r
Status: Open Platform Version: Other
Reproducibility: Every Time
Summary: admin authentication broken
Original Submission: RE: Authentication for config/setup and header admin
broken
"logout" of either admin screen allows you to hit back button on browser, then
refresh the admin screen and it logs you back in giving full privs without
prompting for password.
Also it doesn't matter that you have two different passwords for the admin
screens. Once logged into either one, you can go to the other without
authenticating by entering the URL.
This is a major security hole.
No Followups Have Been Posted
No files currently attached
For detailed info, follow this link:
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=1171&group_id=509