sent in
the following hack...
Point of interest:
I just heard from a client in France that it was possible to wander up to
the logon screen of his DB_M installation, enter no name and no password
and be admitted with full editing privileges. (eek!)
On checking into it I found this cause:
There was a blank line at the bottom of the users file.
So--if someone leaves an extra carriage return in the users' file at the
end of a manual editing session, that becomes "the authorized user with no
name and no password".
added.....
I'm sure what I have wound up doing in the past was to replace the
snippet below from "auth-extra-lib.pl" file at approx line 163.
if ($in{'auth_logon_screen_op'} ne "" ||
($session eq "")) {
&PrintLogonPage($bad_logon_message, $main_script, *in);
exit;
} # End of Logon Screen
with this hacked snippet below..and that seems to have corrected the
problem I think Jeff is describing.
if ($in{'auth_logon_screen_op'} ne "" ||
($session eq "") ||
$form_data{'auth_user_name'} eq "" ||
$form_data{'auth_password'} eq "") {
&PrintLogonPage($bad_logon_message, $main_script, *in);
exit;
} # End of Logon Screen
There was the infamous :) "last person to enter data into the database
became admin bug"...as well as a bug that would nuke the whole database.
So if your client a real old version of the DB_Manager...some of these
gremlins maybe present Jeff.
I also believe that you can...do the same with the
"web_store_log_analysis.cgi" as well..if I'm not mistaken I had to
correct this for a client just before Xmas...but me old noggin has
trouble remembering that far back :-)
