Martijn Houtman <[EMAIL PROTECTED]> wrote: > I have some remarks about the Bugtracker templates: > > - In the code in the Bugtracker "method=pagelogon" is not used for admin > logon. When I read the documentation this could be a security error.
Yes, you are right. Actually the bugtracker was the reason that this ended up in the documentation. We had not time yet to update the bugtracker too.. Now it has become public knowledge it becomes more urgent though... > - Checking the logon of a user with account='$account' AND > password='$password' seems to be sensitive for sql infusion. You can get > password=' ' OR '1'='1'. An additional compare of the values could solve > this. The bugtrackers security should be rmeoved and replaced by real security. Michiel -- Michiel Meeuwissen Mediacentrum 140 H'sum +31 (0)35 6772979 nl_NL eo_XX en_US mihxil' [] ()
