Uploaded image for project: 'Central Authentication Service'
  1. Central Authentication Service
  2. MGNLCAS-7

Login handler can be bypassed

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Critical
    • 1.0.1
    • 1.0
    • None

    Description

      It's possible to log into instance by passing parameter "mgnlUserId" into URL without knowing the password. It's enough to hit right username.
      Example URL: http://<server>/.magnolia/pages/adminCentral.html?mgnlUserId=<some_ldap_user>&mgnlUserPWD=doesntmatter

      Checklists

        Acceptance criteria

        Attachments

          Activity

            People

              ochytil Ondrej Chytil
              ochytil Ondrej Chytil
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Checklists

                  Bug DoR
                  Task DoD