Login problem - ALREADY NOTICED
-
victor_diago
- Posts: 245
- Joined: Wed Jan 21, 2004 2:44 pm
- Location: Brazil, sao paulo
- Contact:
Login problem - ALREADY NOTICED
hi all, there is a problem in loginpage in zoneminder 1.17, wich let anyone to log in the system, even an inexistent user. the wrong user can see the console page, but cant click on nothing. this issue have been already sent to philip, so he said he will fix, but aways is good to found any documentation about a bug, so im posting it.
-
zoneminder
- Site Admin
- Posts: 5215
- Joined: Wed Jul 09, 2003 2:07 pm
- Location: Bristol, UK
- Contact:
Re: Login problem - ALREADY NOTICED
Hi Victor,
I see you managed to register!
The problem will be fixed in version 1.17.1 which should be out in the next 24 hours or so.
In the meantime you can patch your files as follows
> zm_html.php.patch
---- cut here ----
*** zm_html.php 8 Jan 2004 11:45:57 -0000 1.51
--- zm_html.php 21 Jan 2004 14:20:33 -0000 1.52
***************
*** 36,41 ****
--- 36,45 ----
{
$user = $HTTP_SESSION_VARS['user'];
define( "ZMU_COMMAND", ZMU_PATH." -U ".$HTTP_SESSION_VARS['username']." -P ".$HTTP_SESSION_VARS['password'] );
+ }
+ else
+ {
+ unset( $user );
}
}
else
---- cut here ----
> zm_funcs.php.patch
---- cut here ----
*** zm_funcs.php 8 Jan 2004 11:45:57 -0000 1.20
--- zm_funcs.php 21 Jan 2004 14:20:33 -0000 1.21
***************
*** 28,40 ****
echo mysql_error();
$HTTP_SESSION_VARS['username'] = $username;
$HTTP_SESSION_VARS['password'] = $password;
! if ( $user = mysql_fetch_assoc( $result ) )
{
! $HTTP_SESSION_VARS['user'] = $user;
}
else
{
! $HTTP_SESSION_VARS['user'] = array();
}
session_write_close();
}
--- 28,40 ----
echo mysql_error();
$HTTP_SESSION_VARS['username'] = $username;
$HTTP_SESSION_VARS['password'] = $password;
! if ( $db_user = mysql_fetch_assoc( $result ) )
{
! $HTTP_SESSION_VARS['user'] = $user = $db_user;
}
else
{
! unset( $user );
}
session_write_close();
}
---- cut here ----
Cheers,
Phil,
I see you managed to register!
The problem will be fixed in version 1.17.1 which should be out in the next 24 hours or so.
In the meantime you can patch your files as follows
> zm_html.php.patch
---- cut here ----
*** zm_html.php 8 Jan 2004 11:45:57 -0000 1.51
--- zm_html.php 21 Jan 2004 14:20:33 -0000 1.52
***************
*** 36,41 ****
--- 36,45 ----
{
$user = $HTTP_SESSION_VARS['user'];
define( "ZMU_COMMAND", ZMU_PATH." -U ".$HTTP_SESSION_VARS['username']." -P ".$HTTP_SESSION_VARS['password'] );
+ }
+ else
+ {
+ unset( $user );
}
}
else
---- cut here ----
> zm_funcs.php.patch
---- cut here ----
*** zm_funcs.php 8 Jan 2004 11:45:57 -0000 1.20
--- zm_funcs.php 21 Jan 2004 14:20:33 -0000 1.21
***************
*** 28,40 ****
echo mysql_error();
$HTTP_SESSION_VARS['username'] = $username;
$HTTP_SESSION_VARS['password'] = $password;
! if ( $user = mysql_fetch_assoc( $result ) )
{
! $HTTP_SESSION_VARS['user'] = $user;
}
else
{
! $HTTP_SESSION_VARS['user'] = array();
}
session_write_close();
}
--- 28,40 ----
echo mysql_error();
$HTTP_SESSION_VARS['username'] = $username;
$HTTP_SESSION_VARS['password'] = $password;
! if ( $db_user = mysql_fetch_assoc( $result ) )
{
! $HTTP_SESSION_VARS['user'] = $user = $db_user;
}
else
{
! unset( $user );
}
session_write_close();
}
---- cut here ----
Cheers,
Phil,