Bug #122
Password verification broken
| Status: | New | Start date: | 12/27/2009 | |
|---|---|---|---|---|
| Priority: | Immediate | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | Web interface | Spent time: | - | |
| Target version: | - | |||
| Resolution: |
Description
While coding the hashed password feature for the GlasIF, I found that it is possible to authenticate to the Web interface without password. You only need to know a username. The given password is not checked properly (this applies to all versions and probably never worked correctly).
We packaged a preview version of he GlasIF. In 0.0.1-PRE1 this problem is fixed: http://dev.glastopf.org/wiki/glasif/Version_001
We should either backport the fix to the Web interface or remove the Web interface completely from the glastopf Repo, as it is deprecated. However, the decision is up to you. But IMHO it is highly recommended to switch to the new GlasIF. On the other hand I can backport the fix. Just let me know, if you need a patch.