eXtropia: the open web technology company
Technology | Support | Tutorials | Development | About Us | Users | Contact Us
Development resources
 ::   WebWare 2.1 (Perl)
 ::   WebWare 2.0 (Java)
 ::   Cool hacks
radical hacks
User File Security Note  
sent in the following hack...

Point of interest:

I just heard from a client in France that it was possible to wander up to the logon screen of his DB_M installation, enter no name and no password and be admitted with full editing privileges. (eek!)

On checking into it I found this cause:

There was a blank line at the bottom of the users file.

So--if someone leaves an extra carriage return in the users' file at the end of a manual editing session, that becomes "the authorized user with no name and no password".

added.....

I'm sure what I have wound up doing in the past was to replace the snippet below from "auth-extra-lib.pl" file at approx line 163.

if ($in{'auth_logon_screen_op'} ne "" || 
   ($session eq "")) {
            &PrintLogonPage($bad_logon_message, $main_script, *in);
            exit;
        } # End of Logon Screen

with this hacked snippet below..and that seems to have corrected the problem I think Jeff is describing.

if ($in{'auth_logon_screen_op'} ne "" || 
    ($session eq "") ||
    $form_data{'auth_user_name'} eq "" || 
    $form_data{'auth_password'} eq "") {
            &PrintLogonPage($bad_logon_message, $main_script, *in);
            exit;
        } # End of Logon Screen

There was the infamous :) "last person to enter data into the database became admin bug"...as well as a bug that would nuke the whole database. So if your client a real old version of the DB_Manager...some of these gremlins maybe present Jeff.

I also believe that you can...do the same with the "web_store_log_analysis.cgi" as well..if I'm not mistaken I had to correct this for a client just before Xmas...but me old noggin has trouble remembering that far back :-)