Re: [dl-ticket-service] Authentication accepts any username / password combination

[Yuri D'Elia]

On 07/30/2014 09:58 AM, Yuri D'Elia wrote:
> Did you change or set the value of $authRealm in your configuration file
> maybe?
> 
> I just tried this on 0.12 but couldn't reproduce it somehow.

I'd also like to mention that if you could try this on the 0.13 RC1 it
would be great:

  http://www.thregr.org/~wavexx/tmp/dl-0.13-rc1.zip

I got the last translation today and I was planning to make a release,
so it would be nice to confirm that 0.13 is fine.

Re: [dl-ticket-service] Authentication accepts any username / password combination

[Yuri D'Elia]

On 07/30/2014 09:25 AM, Edi Füllemann wrote:
> I updated from 0.10 to 0.12 and realized that any username / password is
> accepted by the web frontend. The installation is configured to use internal
> authentication. First I suspected the upgrade process somehow went wrong and
> tried a fresh install. But the problem persisted. When I login with a
> fantasy username, it gets even added to the database.
> 
> After trying to follow the logon process in the source with my limited php
> knowledge, I suspect the software is using external authentication instead
> of internal.
> 
> I could fix the problem for now by commenting out the following part of the
> function userLogin in include/admfuncs.php. This is where the external
> authentication is done an new user accounts added.

Did you change or set the value of $authRealm in your configuration file
maybe?

I just tried this on 0.12 but couldn't reproduce it somehow.