-
-
Notifications
You must be signed in to change notification settings - Fork 532
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Logging in with an AD-user that has no corresponding user in the TeamPass database reveals ALL passwords for a limited period. #1530
Comments
Please update to 2.1.26 |
Same as #1153 ? |
This issue still exists with version 2.1.27. |
As I cannot test, can you please do the next change assuming you are using 2.1.27 Open file
and replace by
Note if you are in 2.1.26, then remove the last entry |
I wish I could, but all my efforts to upgrade this product as thus far
failed horribly, so I'm still running 2.1.24.
…--
Marius
Den 22.06.2017 20.00, skrev Nils Laumaillé:
As I cannot test, can you please do the next change assuming you are
using 2.1.27
Open file |sources/identify.php|, around line 545 found
|DB::insert( prefix_table('users'), array( 'login' => $username, 'pw'
=> $data['pw'], 'email' => @$user_info_from_ad[0]['mail'][0], 'name'
=> $user_info_from_ad[0]['givenname'][0], 'lastname' =>
$user_info_from_ad[0]['sn'][0], 'admin' => '0', 'gestionnaire' => '0',
'can_manage_all_users' => '0', 'personal_folder' =>
$_SESSION['settings']['enable_pf_feature'] == "1" ? '1' : '0',
'fonction_id' => '0', 'groupes_interdits' => '0', 'groupes_visibles'
=> '0', 'last_pw_change' => time(), 'user_language' =>
$_SESSION['settings']['default_language'] ) ); |
and replace by
|DB::insert( prefix_table('users'), array( 'login' => $username, 'pw'
=> $data['pw'], 'email' => @$user_info_from_ad[0]['mail'][0], 'name'
=> $user_info_from_ad[0]['givenname'][0], 'lastname' =>
$user_info_from_ad[0]['sn'][0], 'admin' => '0', 'gestionnaire' => '0',
'can_manage_all_users' => '0', 'personal_folder' =>
$_SESSION['settings']['enable_pf_feature'] == "1" ? '1' : '0',
'fonction_id' => '', 'groupes_interdits' => '', 'groupes_visibles' =>
'', 'last_pw_change' => time(), 'user_language' =>
$_SESSION['settings']['default_language'], 'encrypted_psk' => '' ) ); |
Note if you are in *2.1.26*, then remove the last entry
|'encrypted_psk' => ''|
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#1530 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAzGxBl0IW3ypyGoryJwdf1_Xv5VaWu2ks5sGqvCgaJpZM4KNpgx>.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Steps to reproduce
Expected behaviour
The user shouldn't be allowed to log in at all, as it has no corresponding entry in the local TeamPass database.
Actual behaviour
Instead the user can view ALL passwords.
Server configuration
Operating system:
Debian Jessie 8.5
Web server:
Apache 2.4.10
Database:
MariaDB 5.5.47
PHP version:
5.6.22-0
Teampass version:
2.1.23
Updated from an older Teampass or fresh install:
Updated from older TeamPass version.
Client configuration
Browser:
Different
Operating system:
Generally Microsoft Windows
Logs
Web server error log
Firebug log (How to?)
The text was updated successfully, but these errors were encountered: