<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:1986548771;
mso-list-type:hybrid;
mso-list-template-ids:1155428776 -1249865918 269025283 269025285 269025281 269025283 269025285 269025281 269025283 269025285;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:20.25pt;
text-indent:-.25in;
font-family:"Calibri","sans-serif";
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=white lang=EN-CA link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I have tried to duplicate this problem with:<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:2.25pt'><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoListParagraph style='margin-left:20.25pt;text-indent:-.25in;
mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>-<span
style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Win2k3<o:p></o:p></span></p>
<p class=MsoListParagraph style='margin-left:20.25pt;text-indent:-.25in;
mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>-<span
style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>MapGuide 2.0 Server Final, standard install on a clean machine.<o:p></o:p></span></p>
<p class=MsoListParagraph style='margin-left:20.25pt;text-indent:-.25in;
mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>-<span
style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>MapGuide 2.0 Web Extensions Final, in both IIS and Apache
(bundled) mode<o:p></o:p></span></p>
<p class=MsoListParagraph style='margin-left:20.25pt;text-indent:-.25in;
mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>-<span
style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Absolutely nothing in my repository, and a repository that only
has data and layer types.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I tried doing this in each of the scenarios:<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><a
href="http://testmap:8008/mapguide/mapagent/mapagent.fcgi?OPERATION=ENUMERATERESOURCES&VERSION=1.0.0&LOCALE=en&RESOURCEID=Library://&TYPE=MapDefinition&DEPTH=-1&COMPUTECHILDREN=1&FORMAT=text/xml&USERNAME=Anonymous">http://testmap:8008/mapguide/mapagent/mapagent.fcgi?OPERATION=ENUMERATERESOURCES&VERSION=1.0.0&LOCALE=en&RESOURCEID=Library://&TYPE=MapDefinition&DEPTH=-1&COMPUTECHILDREN=1&FORMAT=text/xml&USERNAME=Anonymous</a><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Which didn’t fail, it output an empty XML entity.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>This did not allow me to log in as Administrator using anything
other than the administrator password.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Andre, Rock, any ideas what the difference could be; why I can’t
replicate this problem? <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>There’s not much point in putting a ticket in on this
until I have a scenario that the developers can use to track it down. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Jason<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:
"Tahoma","sans-serif";color:windowtext'>From:</span></b><span lang=EN-US
style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>
mapguide-users-bounces@lists.osgeo.org
[mailto:mapguide-users-bounces@lists.osgeo.org] <b>On Behalf Of </b>Kenneth,
GEOGRAF A/S<br>
<b>Sent:</b> Tuesday, March 11, 2008 02:08<br>
<b>To:</b> MapGuide Users Mail List<br>
<b>Subject:</b> Re: [mapguide-users] MapGuide Open Source 2.0 (Final)Possible
SecurityIssue<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I have just tested this on my local machine (2.0 rc2), and I
cannot log in with any unapproved user.<br>
I have multiple MapDefinitions.<br>
<br>
I agree that it would be a security bug, but if it is only present when there
are no MapDefinitions in the repo, I would say it has almost no pratical
relevance.<br>
Still, something must be wrong if it happens, and should be fixed.<br>
<br>
<o:p></o:p></p>
<pre>Regards, Kenneth, GEOGRAF A/S<o:p></o:p></pre>
<p class=MsoNormal><br>
<br>
Jason Birch skrev: <o:p></o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Seems nasty…</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Have you had a chance to submit this as a ticket?</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><a href="https://trac.osgeo.org/mapguide/wiki/SubmitTicket">https://trac.osgeo.org/mapguide/wiki/SubmitTicket</a></span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Jason</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><o:p></o:p></p>
<div style='border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0in 0in 0in;
border-color:-moz-use-text-color -moz-use-text-color'>
<p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:
"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'> <a
href="mailto:mapguide-users-bounces@lists.osgeo.org">mapguide-users-bounces@lists.osgeo.org</a>
[<a href="mailto:mapguide-users-bounces@lists.osgeo.org">mailto:mapguide-users-bounces@lists.osgeo.org</a>]
<b>On Behalf Of </b>Rock Beans<br>
<b>Sent:</b> Wednesday, March 05, 2008 14:30<br>
<b>To:</b> MapGuide Users Mail List<br>
<b>Subject:</b> [mapguide-users] MapGuide Open Source 2.0 (Final) Possible
SecurityIssue</span><o:p></o:p></p>
</div>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal>I figured out how to reproduce this problem. If you have no
maps defined or created yet and do the call below but use
"TYPE=MapDefinition&" it fails with default user Anonymous. Then
it allows the user "Administrator" with no password to do any
OPERATION=ENUMERATERESOURCES. You can also log into Studio using Administrator
with any random password as long as it is not blank. I find this to be a huge
bug. Can anyone else confirm this?<br>
<br>
<br>
<br>
Original:<br>
After pounding my head for 3 hours I figured out that that FCGI calls where
allowing the user name of Administrator with no password. Studio was allowing
me to log in to the site with the user name of Administrator and any password
since it doesn't allow blank passwords. The strange thing is I can't log on to
the Site Administrator PHP pages with out the proper password through. Anyone
else encounter this or have any suggestions? I went into the Site Administrator
and changed the password for the Administrator user as well. The really strange
thing was the user Anonymous would not work as is should default out of the
box! It seemed every 3rd attempt with the Anonymous user would allow me to get
an XML list the others said bad user and password.<br>
<br>
Example URL (replace localhost with computer/dns name):<br>
<a
href="http://localhost/mapguide/mapagent/mapagent.fcgi?OPERATION=ENUMERATERESOURCES&VERSION=1.0.0&LOCALE=en&RESOURCEID=Library%3A%2F%2F&TYPE=&DEPTH=-1&COMPUTECHILDREN=1&FORMAT=text%2Fxml&USERNAME=Administrator"
target="_blank">http://localhost/mapguide/mapagent/mapagent.fcgi?OPERATION=ENUMERATERESOURCES&VERSION=1.0.0&LOCALE=en&RESOURCEID=Library%3A%2F%2F&TYPE=&DEPTH=-1&COMPUTECHILDREN=1&FORMAT=text%2Fxml&USERNAME=Administrator</a><br>
<br>
Now I changed the password for the Administrator to something other than
"admin" and back for testing and everything works fine. I have no
clue what went wrong. I had a co-worker try the link above with
"localhost" replaced with my work group "computer name" and
he was able to get right in as explained above. Now after everything seems OK
he cannot. So I am not sure what caused this or what fixed this but watch out
for this one.<br>
<br>
<br>
The Rock <o:p></o:p></p>
<pre><o:p> </o:p></pre><pre style='text-align:center'>
<hr size=4 width="90%" align=center>
</pre><pre><o:p> </o:p></pre><pre>_______________________________________________<o:p></o:p></pre><pre>mapguide-users mailing list<o:p></o:p></pre><pre><a
href="mailto:mapguide-users@lists.osgeo.org">mapguide-users@lists.osgeo.org</a><o:p></o:p></pre><pre><a
href="http://lists.osgeo.org/mailman/listinfo/mapguide-users">http://lists.osgeo.org/mailman/listinfo/mapguide-users</a><o:p></o:p></pre><pre> <o:p></o:p></pre></div>
</body>
</html>