Hi Andre,
Could you please add this issue to Trac with a recipe that allows a developer to quickly and easily reproduce it: http://trac.osgeo.org/mapguide/wiki/SubmitTicket Jason From: Andre Schoonbee Subject: RE: [mapguide-users] MapGuide Open Source2.0(Final)Possible SecurityIssue Any feedback on this issue! Regards Andre ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andre Schoonbee Sent: Wednesday, March 12, 2008 10:08 AM To: 'MapGuide Users Mail List' Subject: RE: [mapguide-users] MapGuide Open Source 2.0(Final)Possible SecurityIssue I am experiencing the same problem. Any solution yet? Regards Andre ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kenneth, GEOGRAF A/S Sent: Tuesday, March 11, 2008 11:08 AM To: MapGuide Users Mail List Subject: Re: [mapguide-users] MapGuide Open Source 2.0 (Final)Possible SecurityIssue I have just tested this on my local machine (2.0 rc2), and I cannot log in with any unapproved user. I have multiple MapDefinitions. I agree that it would be a security bug, but if it is only present when there are no MapDefinitions in the repo, I would say it has almost no pratical relevance. Still, something must be wrong if it happens, and should be fixed. Regards, Kenneth, GEOGRAF A/S Jason Birch skrev: Seems nasty... Have you had a chance to submit this as a ticket? https://trac.osgeo.org/mapguide/wiki/SubmitTicket Jason From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rock Beans Sent: Wednesday, March 05, 2008 14:30 To: MapGuide Users Mail List Subject: [mapguide-users] MapGuide Open Source 2.0 (Final) Possible SecurityIssue I figured out how to reproduce this problem. If you have no maps defined or created yet and do the call below but use "TYPE=MapDefinition&" it fails with default user Anonymous. Then it allows the user "Administrator" with no password to do any OPERATION=ENUMERATERESOURCES. You can also log into Studio using Administrator with any random password as long as it is not blank. I find this to be a huge bug. Can anyone else confirm this? Original: After pounding my head for 3 hours I figured out that that FCGI calls where allowing the user name of Administrator with no password. Studio was allowing me to log in to the site with the user name of Administrator and any password since it doesn't allow blank passwords. The strange thing is I can't log on to the Site Administrator PHP pages with out the proper password through. Anyone else encounter this or have any suggestions? I went into the Site Administrator and changed the password for the Administrator user as well. The really strange thing was the user Anonymous would not work as is should default out of the box! It seemed every 3rd attempt with the Anonymous user would allow me to get an XML list the others said bad user and password. Example URL (replace localhost with computer/dns name): http://localhost/mapguide/mapagent/mapagent.fcgi?OPERATION=ENUMERATERESO URCES&VERSION=1.0.0&LOCALE=en&RESOURCEID=Library%3A%2F%2F&TYPE=&DEPTH=-1 &COMPUTECHILDREN=1&FORMAT=text%2Fxml&USERNAME=Administrator Now I changed the password for the Administrator to something other than "admin" and back for testing and everything works fine. I have no clue what went wrong. I had a co-worker try the link above with "localhost" replaced with my work group "computer name" and he was able to get right in as explained above. Now after everything seems OK he cannot. So I am not sure what caused this or what fixed this but watch out for this one. The Rock ________________________________ _______________________________________________ mapguide-users mailing list mapguide-users@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/mapguide-users __________ Information from ESET Smart Security, version of virus signature database 2937 (20080311) __________ The message was checked by ESET Smart Security. http://www.eset.com __________ Information from ESET Smart Security, version of virus signature database 2938 (20080311) __________ The message was checked by ESET Smart Security. http://www.eset.com
_______________________________________________ mapguide-users mailing list mapguide-users@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/mapguide-users