<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="PersonName"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--a:link
{mso-style-priority:99;}
span.MSOHYPERLINK
{mso-style-priority:99;}
a:visited
{mso-style-priority:99;}
span.MSOHYPERLINKFOLLOWED
{mso-style-priority:99;}
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Calibri;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";
color:black;}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
pre
{margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.EmailStyle18
{mso-style-type:personal;
font-family:Calibri;
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=white lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>I am experiencing the same problem. Any
solution yet?<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Regards<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Andre<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
color=black face="Times New Roman"><span style='font-size:12.0pt;color:windowtext'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 color=black face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma;color:windowtext;font-weight:bold'>From:</span></font></b><font
size=2 color=black face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma;
color:windowtext'> mapguide-users-bounces@lists.osgeo.org
[mailto:mapguide-users-bounces@lists.osgeo.org] <b><span style='font-weight:
bold'>On Behalf Of </span></b>Kenneth, GEOGRAF A/S<br>
<b><span style='font-weight:bold'>Sent:</span></b> Tuesday, March 11, 2008
11:08 AM<br>
<b><span style='font-weight:bold'>To:</span></b> <st1:PersonName w:st="on">MapGuide
Users Mail List</st1:PersonName><br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [mapguide-users]
MapGuide Open Source 2.0 (Final)Possible SecurityIssue</span></font><font
color=black><span style='color:windowtext'><o:p></o:p></span></font></p>
</div>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt'>I have just tested this on my local machine (2.0 rc2),
and I cannot log in with any unapproved user.<br>
I have multiple MapDefinitions.<br>
<br>
I agree that it would be a security bug, but if it is only present when there
are no MapDefinitions in the repo, I would say it has almost no pratical
relevance.<br>
Still, something must be wrong if it happens, and should be fixed.<br>
<br>
<o:p></o:p></span></font></p>
<pre><font size=2 color=black face="Courier New"><span style='font-size:10.0pt'>Regards, Kenneth, GEOGRAF A/S<o:p></o:p></span></font></pre>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt'><br>
<br>
Jason Birch skrev: <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'><!--[if gte mso 9]><xml>
<u1:shapedefaults u2:ext="edit" spidmax="1026"/>
</xml><![endif]--><!--[if gte mso 9]><xml>
<u3:shapelayout u4:ext="edit">
<u3:idmap u4:ext="edit" data="1"/>
</u3:shapelayout>
</xml><![endif]-->Seems nasty…<u5:p></u5:p></span></font><o:p></o:p></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'><u5:p> </u5:p></span></font><o:p></o:p></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>Have you had a
chance to submit this as a ticket?<u5:p></u5:p></span></font><o:p></o:p></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'><u5:p> </u5:p></span></font><o:p></o:p></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'><a
href="https://trac.osgeo.org/mapguide/wiki/SubmitTicket" moz-do-not-send=true>https://trac.osgeo.org/mapguide/wiki/SubmitTicket</a><u5:p></u5:p></span></font><o:p></o:p></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'><u5:p> </u5:p></span></font><o:p></o:p></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>Jason<u5:p></u5:p></span></font><o:p></o:p></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'><u5:p> </u5:p></span></font><o:p></o:p></p>
<div style='border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0in 0in 0in;
border-color:-moz-use-text-color -moz-use-text-color'>
<p class=MsoNormal><b><font size=2 color=black face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma;font-weight:bold'>From:</span></font></b><font
size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'> <a
href="mailto:mapguide-users-bounces@lists.osgeo.org">mapguide-users-bounces@lists.osgeo.org</a>
[<a href="mailto:mapguide-users-bounces@lists.osgeo.org">mailto:mapguide-users-bounces@lists.osgeo.org</a>]
<b><span style='font-weight:bold'>On Behalf Of </span></b>Rock Beans<br>
<b><span style='font-weight:bold'>Sent:</span></b> Wednesday, March 05, 2008
14:30<br>
<b><span style='font-weight:bold'>To:</span></b> <st1:PersonName w:st="on">MapGuide
Users Mail List</st1:PersonName><br>
<b><span style='font-weight:bold'>Subject:</span></b> [mapguide-users] MapGuide
Open Source 2.0 (Final) Possible SecurityIssue<u5:p></u5:p></span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><u5:p><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt'> <o:p></o:p></span></font></u5:p></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt'>I figured out how to reproduce this problem. If you
have no maps defined or created yet and do the call below but use
"TYPE=MapDefinition&" it fails with default user Anonymous. Then it
allows the user "Administrator" with no password to do any
OPERATION=ENUMERATERESOURCES. You can also log into Studio using Administrator
with any random password as long as it is not blank. I find this to be a huge
bug. Can anyone else confirm this?<br>
<br>
<br>
<br>
Original:<br>
After pounding my head for 3 hours I figured out that that FCGI calls where
allowing the user name of Administrator with no password. Studio was allowing
me to log in to the site with the user name of Administrator and any password
since it doesn't allow blank passwords. The strange thing is I can't log on to
the Site Administrator PHP pages with out the proper password through. Anyone
else encounter this or have any suggestions? I went into the Site Administrator
and changed the password for the Administrator user as well. The really strange
thing was the user Anonymous would not work as is should default out of the
box! It seemed every 3rd attempt with the Anonymous user would allow me to get
an XML list the others said bad user and password.<br>
<br>
Example URL (replace localhost with computer/dns name):<br>
<a
href="http://localhost/mapguide/mapagent/mapagent.fcgi?OPERATION=ENUMERATERESOURCES&VERSION=1.0.0&LOCALE=en&RESOURCEID=Library%3A%2F%2F&TYPE=&DEPTH=-1&COMPUTECHILDREN=1&FORMAT=text%2Fxml&USERNAME=Administrator"
target="_blank" moz-do-not-send=true>http://localhost/mapguide/mapagent/mapagent.fcgi?OPERATION=ENUMERATERESOURCES&VERSION=1.0.0&LOCALE=en&RESOURCEID=Library%3A%2F%2F&TYPE=&DEPTH=-1&COMPUTECHILDREN=1&FORMAT=text%2Fxml&USERNAME=Administrator</a><br>
<br>
Now I changed the password for the Administrator to something other than
"admin" and back for testing and everything works fine. I have no
clue what went wrong. I had a co-worker try the link above with
"localhost" replaced with my work group "computer name" and
he was able to get right in as explained above. Now after everything seems OK
he cannot. So I am not sure what caused this or what fixed this but watch out
for this one.<br>
<br>
<br>
The Rock <o:p></o:p></span></font><u5:p></u5:p></p>
<pre wrap=""><font size=2 color=black face="Courier New"><span
style='font-size:10.0pt'><o:p> </o:p></span></font></pre><pre
style='text-align:center'><font size=2 color=black face="Courier New"><span
style='font-size:10.0pt'>
<hr size=4 width="90%" align=center>
</span></font></pre><pre><font size=2 color=black face="Courier New"><span
style='font-size:10.0pt'><o:p> </o:p></span></font></pre><pre><font
size=2 color=black face="Courier New"><span style='font-size:10.0pt'>_______________________________________________<o:p></o:p></span></font></pre><pre><font
size=2 color=black face="Courier New"><span style='font-size:10.0pt'>mapguide-users mailing list<o:p></o:p></span></font></pre><pre><font
size=2 color=black face="Courier New"><span style='font-size:10.0pt'><a
href="mailto:mapguide-users@lists.osgeo.org">mapguide-users@lists.osgeo.org</a><o:p></o:p></span></font></pre><pre><font
size=2 color=black face="Courier New"><span style='font-size:10.0pt'><a
href="http://lists.osgeo.org/mailman/listinfo/mapguide-users">http://lists.osgeo.org/mailman/listinfo/mapguide-users</a><o:p></o:p></span></font></pre><pre><font
size=2 color=black face="Courier New"><span style='font-size:10.0pt'> <o:p></o:p></span></font></pre>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt'><br>
<br>
__________ Information from ESET Smart Security, version of virus signature
database 2937 (20080311) __________<br>
<br>
The message was checked by ESET Smart Security.<br>
<br>
<a href="http://www.eset.com">http://www.eset.com</a><o:p></o:p></span></font></p>
</div>
</body>
</html>