[mapguide-users] MapGuide Open Source 2.0 (Final)Possible SecurityIssue

Andre Schoonbee andresch at iway.na
Wed Mar 12 04:08:26 EDT 2008


I am experiencing the same problem. Any solution yet?

 

Regards

 

Andre

 

  _____  

From: mapguide-users-bounces at lists.osgeo.org
[mailto:mapguide-users-bounces at lists.osgeo.org] On Behalf Of Kenneth,
GEOGRAF A/S
Sent: Tuesday, March 11, 2008 11:08 AM
To: MapGuide Users Mail List
Subject: Re: [mapguide-users] MapGuide Open Source 2.0 (Final)Possible
SecurityIssue

 

I have just tested this on my local machine (2.0 rc2), and I cannot log in
with any unapproved user.
I have multiple MapDefinitions.

I agree that it would be a security bug, but if it is only present when
there are no MapDefinitions in the repo, I would say it has almost no
pratical relevance.
Still, something must be wrong if it happens, and should be fixed.



Regards, Kenneth, GEOGRAF A/S



Jason Birch skrev: 

Seems nasty.

 

Have you had a chance to submit this as a ticket?

 

https://trac.osgeo.org/mapguide/wiki/SubmitTicket

 

Jason

 

From: mapguide-users-bounces at lists.osgeo.org
[mailto:mapguide-users-bounces at lists.osgeo.org] On Behalf Of Rock Beans
Sent: Wednesday, March 05, 2008 14:30
To: MapGuide Users Mail List
Subject: [mapguide-users] MapGuide Open Source 2.0 (Final) Possible
SecurityIssue

 

I figured out how to reproduce this problem. If you have no maps defined or
created yet and do the call below but use "TYPE=MapDefinition&" it fails
with default user Anonymous. Then it allows the user "Administrator" with no
password to do any OPERATION=ENUMERATERESOURCES. You can also log into
Studio using Administrator with any random password as long as it is not
blank. I find this to be a huge bug. Can anyone else confirm this?



Original:
After pounding my head for 3 hours I figured out that that FCGI calls where
allowing the user name of Administrator with no password. Studio was
allowing me to log in to the site with the user name of Administrator and
any password since it doesn't allow blank passwords. The strange thing is I
can't log on to the Site Administrator PHP pages with out the proper
password through. Anyone else encounter this or have any suggestions? I went
into the Site Administrator and changed the password for the Administrator
user as well. The really strange thing was the user Anonymous would not work
as is should default out of the box! It seemed every 3rd attempt with the
Anonymous user would allow me to get an XML list the others said bad user
and password.

Example URL (replace localhost with computer/dns name):
http://localhost/mapguide/mapagent/mapagent.fcgi?OPERATION=ENUMERATERESOURCE
S
<http://localhost/mapguide/mapagent/mapagent.fcgi?OPERATION=ENUMERATERESOURC
ES&VERSION=1.0.0&LOCALE=en&RESOURCEID=Library%3A%2F%2F&TYPE=&DEPTH=-1&COMPUT
ECHILDREN=1&FORMAT=text%2Fxml&USERNAME=Administrator>
&VERSION=1.0.0&LOCALE=en&RESOURCEID=Library%3A%2F%2F&TYPE=&DEPTH=-1&COMPUTEC
HILDREN=1&FORMAT=text%2Fxml&USERNAME=Administrator

Now I changed the password for the Administrator to something other than
"admin" and back for testing and everything works fine. I have no clue what
went wrong. I had a co-worker try the link above with "localhost" replaced
with my work group "computer name" and he was able to get right in as
explained above. Now after everything seems OK he cannot. So I am not sure
what caused this or what fixed this but watch out for this one.


The Rock 

 





  _____  



 
_______________________________________________
mapguide-users mailing list
mapguide-users at lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/mapguide-users
  



__________ Information from ESET Smart Security, version of virus signature
database 2937 (20080311) __________

The message was checked by ESET Smart Security.

http://www.eset.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.osgeo.org/pipermail/mapguide-users/attachments/20080312/2422cdbe/attachment.html


More information about the mapguide-users mailing list