Adding internal authinstance as parent of xmlrpc allows login to existing accounts without a password

Bug #594891 reported by Richard Mansfield
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released
Richard Mansfield
Fix Released
Fix Released

Bug Description

Date: Tue, 15 Jun 2010 08:32:20 +0200
Subject: URGENT: SSO from Moodle to Mahara
From: Gregor Anzelj <email address hidden>

As you suggested, I've added internal as a parent to xmlrpc.

I couldn't log in with my username/password from Moodle. Upon inspection od
database I've discovered that the records for the users, that were added to
mhr_usr table contained only their usernames, but no passwords. So I could
login as any user (from Moodle) just by typing their username...

I think that the password should be also added when creating records in
table mhr_usr. What do you think?

Regards, Gregor

P.S. I can file a bug, but I wanted to contact you first...

Gregor Anzelj, prof.
Gimnazija Ledina, Ljubljana

CVE References

Revision history for this message
Richard Mansfield (richard-mansfield) wrote :

Mahara does not have access to the Moodle passwords during SSO, so we cannot set them. Francois suggested the easiest fix would be to disallow all internal auth logins for users with no password.

Changed in mahara:
milestone: none → 1.2.5
status: New → Confirmed
importance: Undecided → Critical
assignee: nobody → Richard Mansfield (richard-mansfield)
Changed in mahara:
status: Confirmed → Fix Committed
importance: Critical → Medium
Changed in mahara:
status: Fix Committed → Fix Released
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers