<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
I have just tested this on my local machine (2.0 rc2), and I cannot log
in with any unapproved user.<br>
I have multiple MapDefinitions.<br>
<br>
I agree that it would be a security bug, but if it is only present when
there are no MapDefinitions in the repo, I would say it has almost no
pratical relevance.<br>
Still, something must be wrong if it happens, and should be fixed.<br>
<pre class="moz-signature" cols="72">Regards, Kenneth, GEOGRAF A/S
</pre>
<br>
<br>
Jason Birch skrev:
<blockquote
cite="mid:8E468917B01800408B91984428BE03DD072A5F33@starfish.nanaimo.ca"
type="cite">
<meta http-equiv="Content-Type" content="text/html; ">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="Section1">
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">Seems
nasty…<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">Have
you had a chance to submit this as a ticket?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"><a
moz-do-not-send="true"
href="https://trac.osgeo.org/mapguide/wiki/SubmitTicket">https://trac.osgeo.org/mapguide/wiki/SubmitTicket</a><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">Jason<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<div
style="border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0in 0in;">
<p class="MsoNormal"><b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif";"
lang="EN-US">From:</span></b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif";"
lang="EN-US"> <a class="moz-txt-link-abbreviated" href="mailto:mapguide-users-bounces@lists.osgeo.org">mapguide-users-bounces@lists.osgeo.org</a>
[<a class="moz-txt-link-freetext" href="mailto:mapguide-users-bounces@lists.osgeo.org">mailto:mapguide-users-bounces@lists.osgeo.org</a>] <b>On Behalf Of </b>Rock
Beans<br>
<b>Sent:</b> Wednesday, March 05, 2008 14:30<br>
<b>To:</b> MapGuide Users Mail List<br>
<b>Subject:</b> [mapguide-users] MapGuide Open Source 2.0 (Final)
Possible
SecurityIssue<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I figured out how to reproduce this problem. If
you have no
maps defined or created yet and do the call below but use
"TYPE=MapDefinition&" it fails with default user Anonymous. Then
it allows the user "Administrator" with no password to do any
OPERATION=ENUMERATERESOURCES. You can also log into Studio using
Administrator
with any random password as long as it is not blank. I find this to be
a huge
bug. Can anyone else confirm this?<br>
<br>
<br>
<br>
Original:<br>
After pounding my head for 3 hours I figured out that that FCGI calls
where
allowing the user name of Administrator with no password. Studio was
allowing
me to log in to the site with the user name of Administrator and any
password
since it doesn't allow blank passwords. The strange thing is I can't
log on to
the Site Administrator PHP pages with out the proper password through.
Anyone
else encounter this or have any suggestions? I went into the Site
Administrator
and changed the password for the Administrator user as well. The really
strange
thing was the user Anonymous would not work as is should default out of
the
box! It seemed every 3rd attempt with the Anonymous user would allow me
to get
an XML list the others said bad user and password.<br>
<br>
Example URL (replace localhost with computer/dns name):<br>
<a moz-do-not-send="true"
href="http://localhost/mapguide/mapagent/mapagent.fcgi?OPERATION=ENUMERATERESOURCES&VERSION=1.0.0&LOCALE=en&RESOURCEID=Library%3A%2F%2F&TYPE=&DEPTH=-1&COMPUTECHILDREN=1&FORMAT=text%2Fxml&USERNAME=Administrator"
target="_blank">http://localhost/mapguide/mapagent/mapagent.fcgi?OPERATION=ENUMERATERESOURCES&VERSION=1.0.0&LOCALE=en&RESOURCEID=Library%3A%2F%2F&TYPE=&DEPTH=-1&COMPUTECHILDREN=1&FORMAT=text%2Fxml&USERNAME=Administrator</a><br>
<br>
Now I changed the password for the Administrator to something other
than
"admin" and back for testing and everything works fine. I have no
clue what went wrong. I had a co-worker try the link above with
"localhost" replaced with my work group "computer name" and
he was able to get right in as explained above. Now after everything
seems OK
he cannot. So I am not sure what caused this or what fixed this but
watch out
for this one.<br>
<br>
<br>
The Rock <o:p></o:p></p>
</div>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
mapguide-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:mapguide-users@lists.osgeo.org">mapguide-users@lists.osgeo.org</a>
<a class="moz-txt-link-freetext" href="http://lists.osgeo.org/mailman/listinfo/mapguide-users">http://lists.osgeo.org/mailman/listinfo/mapguide-users</a>
</pre>
</blockquote>
</body>
</html>