[MGNLCAS-7] Login handler can be bypassed Created: 18/Aug/11  Updated: 07/Sep/11  Resolved: 18/Aug/11

Status: Closed
Project: Central Authentication Service
Component/s: None
Affects Version/s: 1.0
Fix Version/s: 1.0.1

Type: Bug Priority: Critical
Reporter: Ondrej Chytil Assignee: Ondrej Chytil
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
supersession
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled

 Description   

It's possible to log into instance by passing parameter "mgnlUserId" into URL without knowing the password. It's enough to hit right username.
Example URL: http://<server>/.magnolia/pages/adminCentral.html?mgnlUserId=<some_ldap_user>&mgnlUserPWD=doesntmatter


Generated at Sun Feb 11 23:58:54 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.