[mapguide-users] MapGuide Open Source 2.0 (Final)
Possible SecurityIssue
Kenneth, GEOGRAF A/S
ks at geograf.dk
Tue Mar 11 05:07:53 EDT 2008
I have just tested this on my local machine (2.0 rc2), and I cannot log
in with any unapproved user.
I have multiple MapDefinitions.
I agree that it would be a security bug, but if it is only present when
there are no MapDefinitions in the repo, I would say it has almost no
pratical relevance.
Still, something must be wrong if it happens, and should be fixed.
Regards, Kenneth, GEOGRAF A/S
Jason Birch skrev:
>
> Seems nasty...
>
>
>
> Have you had a chance to submit this as a ticket?
>
>
>
> https://trac.osgeo.org/mapguide/wiki/SubmitTicket
>
>
>
> Jason
>
>
>
> *From:* mapguide-users-bounces at lists.osgeo.org
> [mailto:mapguide-users-bounces at lists.osgeo.org] *On Behalf Of *Rock Beans
> *Sent:* Wednesday, March 05, 2008 14:30
> *To:* MapGuide Users Mail List
> *Subject:* [mapguide-users] MapGuide Open Source 2.0 (Final) Possible
> SecurityIssue
>
>
>
> I figured out how to reproduce this problem. If you have no maps
> defined or created yet and do the call below but use
> "TYPE=MapDefinition&" it fails with default user Anonymous. Then it
> allows the user "Administrator" with no password to do any
> OPERATION=ENUMERATERESOURCES. You can also log into Studio using
> Administrator with any random password as long as it is not blank. I
> find this to be a huge bug. Can anyone else confirm this?
>
>
>
> Original:
> After pounding my head for 3 hours I figured out that that FCGI calls
> where allowing the user name of Administrator with no password. Studio
> was allowing me to log in to the site with the user name of
> Administrator and any password since it doesn't allow blank passwords.
> The strange thing is I can't log on to the Site Administrator PHP
> pages with out the proper password through. Anyone else encounter this
> or have any suggestions? I went into the Site Administrator and
> changed the password for the Administrator user as well. The really
> strange thing was the user Anonymous would not work as is should
> default out of the box! It seemed every 3rd attempt with the Anonymous
> user would allow me to get an XML list the others said bad user and
> password.
>
> Example URL (replace localhost with computer/dns name):
> http://localhost/mapguide/mapagent/mapagent.fcgi?OPERATION=ENUMERATERESOURCES&VERSION=1.0.0&LOCALE=en&RESOURCEID=Library%3A%2F%2F&TYPE=&DEPTH=-1&COMPUTECHILDREN=1&FORMAT=text%2Fxml&USERNAME=Administrator
> <http://localhost/mapguide/mapagent/mapagent.fcgi?OPERATION=ENUMERATERESOURCES&VERSION=1.0.0&LOCALE=en&RESOURCEID=Library%3A%2F%2F&TYPE=&DEPTH=-1&COMPUTECHILDREN=1&FORMAT=text%2Fxml&USERNAME=Administrator>
>
> Now I changed the password for the Administrator to something other
> than "admin" and back for testing and everything works fine. I have no
> clue what went wrong. I had a co-worker try the link above with
> "localhost" replaced with my work group "computer name" and he was
> able to get right in as explained above. Now after everything seems OK
> he cannot. So I am not sure what caused this or what fixed this but
> watch out for this one.
>
>
> The Rock
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> mapguide-users mailing list
> mapguide-users at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/mapguide-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.osgeo.org/pipermail/mapguide-users/attachments/20080311/eb70d233/attachment.html
More information about the mapguide-users
mailing list