why not make pagelogon the default behavour when using password?
ernst
> -----Oorspronkelijk bericht-----
> Van: Michiel Meeuwissen [mailto:[EMAIL PROTECTED]
> Verzonden: zaterdag 8 mei 2004 11:02
> Aan: [EMAIL PROTECTED]
> Onderwerp: Re: Bugtracker
>
>
> Martijn Houtman <[EMAIL PROTECTED]> wrote:
> > I have some remarks about the Bugtracker templates:
> >
> > - In the code in the Bugtracker "method=pagelogon" is
> not used for admin
> > logon. When I read the documentation this could be a
> security error.
>
> Yes, you are right. Actually the bugtracker was the reason
> that this ended
> up in the documentation. We had not time yet to update the
> bugtracker too..
>
> Now it has become public knowledge it becomes more urgent though...
>
> > - Checking the logon of a user with account='$account' AND
> > password='$password' seems to be sensitive for sql
> infusion. You can get
> > password=' ' OR '1'='1'. An additional compare of the
> values could solve
> > this.
>
> The bugtrackers security should be rmeoved and replaced by
> real security.
>
> Michiel
>
> --
> Michiel Meeuwissen
> Mediacentrum 140 H'sum
> +31 (0)35 6772979
> nl_NL eo_XX en_US
> mihxil'
> [] ()
>
