Uploaded image for project: 'Central Authentication Service'
  1. Central Authentication Service
  2. MGNLCAS-7

Login handler can be bypassed

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • 1.0.1
    • 1.0
    • None

      It's possible to log into instance by passing parameter "mgnlUserId" into URL without knowing the password. It's enough to hit right username.
      Example URL: http://<server>/.magnolia/pages/adminCentral.html?mgnlUserId=<some_ldap_user>&mgnlUserPWD=doesntmatter

        Acceptance criteria

              ochytil Ondrej Chytil
              ochytil Ondrej Chytil
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Bug DoR
                  Task DoD