View Issue Details

IDProjectCategoryView StatusLast Update
0014252phpList 3 applicationAuthentication Systempublic28-04-08 13:28
Reporterjhorst 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version2.10.5 
Target VersionFixed in Version 
Summary0014252: Login with password in cookie fails
DescriptionWhen trying to login to PHPList, it refused to recognize my password, even though what I typed in matched the password in the database. Finally, I had the authorization function dump to the browser the arguments passed to it. That's when I found that it was using a password from a cookie from another page on my site. The cookie variable was also named "password", but it was encrypted, so the two didn't match. The reason this happened was because the form data was called using $_REQUEST instead of $_POST.

Lines 175 to 181 of admin/index.php currently read as follows:

  if ((!isset($_SESSION["adminloggedin"]) || !$_SESSION["adminloggedin"]) && isset($_REQUEST["login"]) && isset($_REQUEST["password"])) {
    $loginresult = $GLOBALS["admin_auth"]->validateLogin($_REQUEST["login"],$_REQUEST["password"]);
    if (!$loginresult[0]) {
      $_SESSION["adminloggedin"] = "";
      $_SESSION["logindetails"] = "";
      $page = "login";
      logEvent(sprintf($GLOBALS['I18N']->get('invalid login from %s, tried logging in as %s'),$_SERVER['REMOTE_ADDR'],$_REQUEST["login"]));

They should be altered to:

  if ((!isset($_SESSION["adminloggedin"]) || !$_SESSION["adminloggedin"]) && isset($_POST["login"]) && isset($_POST["password"])) {
    $loginresult = $GLOBALS["admin_auth"]->validateLogin($_POST["login"],$_POST["password"]);
    if (!$loginresult[0]) {
      $_SESSION["adminloggedin"] = "";
      $_SESSION["logindetails"] = "";
      $page = "login";
      logEvent(sprintf($GLOBALS['I18N']->get('invalid login from %s, tried logging in as %s'),$_SERVER['REMOTE_ADDR'],$_POST["login"]));

Then the login should work fine.

This also should be fixed for security reasons. In other words, if you happen to have a cookie from your phpList-using site that contains "login" and "password" variables, and they are the same as the phpList login info, it wouldn't matter what you typed into the login boxes -- the cookie information would log you in.
Additional Information   System details:

    * phplist version: 2.10.5
    * PHP version: 5.2.5
    * Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
    * Webserver: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8g DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
    * Website: www.jehovahjirehfarm.com/maillist
    * Mysql Info: 5.0.45-community-log
    * PHP Modules:
          o zip
          o libxml
          o xsl
          o xmlwriter
          o xmlrpc
          o dom
          o xmlreader
          o xml
          o tokenizer
          o tidy
          o session
          o pcre
          o SimpleXML
          o sockets
          o soap
          o SPL
          o standard
          o Reflection
          o pspell
          o posix
          o pgsql
          o mysqli
          o mysql
          o mime_magic
          o mhash
          o mcrypt
          o mbstring
          o json
          o imap
          o iconv
          o hash
          o gettext
          o gd
          o ftp
          o filter
          o exif
          o date
          o curl
          o ctype
          o calendar
          o bz2
          o bcmath
          o zlib
          o openssl
          o cgi-fcgi
          o Zend Optimizer
TagsNo tags attached.

Relationships

related to 0015029 resolvedmichiel Identical Cookies allow login to multiple installations 

Activities

user3543

24-04-08 12:56

  ~0045733

This a very interesting issue, but we do need to have $_REQUEST instead of $_POST at this instance, in order to keep $_GET running appropriately

jhorst

26-04-08 02:46

reporter   ~0045894

What about a simple if() statement that checks $_SERVER['REQUEST_METHOD'] and then uses $_GET[] or $_POST[] as needed?