Gossamer Forum
Home : Products : DBMan SQL : Discussion :

Login security bug?

Quote Reply
Login security bug?
I have just setup a DBman SQL. When I test it, I found I can login successfully use an username and pwd which do not exist (for example: a random usename and pwd). How about your DBman? Do I setup it correctly?

Quote Reply
Re: Login security bug? In reply to
I would double check your .pass table, and also check your user permissions and login permissions in the .cfg file.

Regards,

Eliot Lee
Quote Reply
Re: Login security bug? In reply to
This is definately not normal. I've never seen this before, can you email me login info so I can take a look?

The only thing I can think of is if you are running under .htaccess and that directory is password protected, DBMan SQL will try and use that user to log you on automatically.

Cheers,

Alex

--
Gossamer Threads Inc.
Quote Reply
Re: Login security bug? In reply to
> can you email me login info so I can take a look
The program is installed in my Intranet now. So you can not login to our system.

>you are running under .htaccess and that directory is password protected
No

But I have double check it. Below is what I have done, I think you can repeat it.

1. download DBman SQL

2. modify db.cfg:

CHANGE $db_script_url = "http://penguin/alex/dbman-sql/db.cgi";
TO $db_script_url = " http://www.intranet/test/db.cgi";

CHANGE @db_connect = ("DBI:mysql:test", "root", "root");
TO @db_connect = ("DBI:mysql:test", "test", "");

CHANGE $auth_allow_default = 1;
TO $auth_allow_default = 0;

CHANGE $auth_logoff = "http://www.gossamer-threads.com/";
TO $auth_logoff = "http://www.intranet/test/db.cgi";

3. upload all files and set correct permision, setup mysql user

4. run nph-setup.cgi from browser, and it tell all ok.

5. go to login form, But you can login with any username and password. Although he has no permision (only main and logoff option in menu), he did login! Is this normal? I think he should be told incorrect username and pwd. Do I miss anything?

Quote Reply
Re: Login security bug? In reply to
Did anyone get this answered - i am having a similar difficulty; here it is:

EX.1: correct ID and correct PW = correct login
EX.2: correct ID and incorrect PW = invalid error message
EX.3: incorrect ID and any pw = login with no permissions

Quote Reply
Re: Login security bug? In reply to
I, too, am having the same problems. I just switched my database to the SQL version (made it active yesterday) and am already being inundated with folks wondering why they have no access to anything. If they login with the correct username and password, but get the case sensitivity of the username wrong (I have my user db set up to be case sensitive), that will also log them in but with no permissions. Has anyone come up with a solution for this?

Thanks!

Melanie
http://www.somemoorecats.com/
http://www.okhima.org/
Quote Reply
Re: Login security bug? In reply to
Nevermind.....I think I've got it fixed. Here's the solution if anyone else still has this problem:

Find this section in auth.pl (sub auth_check_password), and add the items in red

In Reply To:
# User is trying to login, check username/password and return info.
elsif ($in{'login'}) {
my $userid_q = $DBH->quote($in{'userid'});
$query = qq!
SELECT password, per_view, per_add, per_del, per_mod, per_admin FROM $db_table_user
WHERE username = $userid_q
!;
$sth = $DBH->prepare ($query) or &cgierr("Unable to query database. Reason: " . $DBH->errstr . ". Query: $query");
$sth->execute or &cgierr("Unable to query database. Reason: " . $sth->errstr . ". Query: $query");

if ($sth->rows) {

($orig_password, @perms) = $sth->fetchrow_array;
$orig_password =~ s/^\s*(\S*)\s*$/$1/;
$crypt_pass = crypt ($in{'pw'}, $orig_password);

# Create session id and insert it into session table.
if ($orig_password eq $crypt_pass) {
srand;
my $rand = int(rand(100000));
$session_id = "$in{'userid'}.$rand";
my $session_id_q = $DBH->quote ($session_id);

my $time = time();
$query = qq!
INSERT INTO $db_table_session (session_id, create_time)
VALUES ($session_id_q, $time)
!;
$DBH->do($query) or &cgierr("Unable to insert session id. Reason: " . $DBH->errstr . ". Query: $query");
}

}
else {
return "invalid username/password";
}

Melanie
http://www.somemoorecats.com/
http://www.okhima.org/