Adding internal authinstance as parent of xmlrpc allows login to existing accounts without a password
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Medium
|
Richard Mansfield | ||
1.0 |
Fix Released
|
Medium
|
Unassigned | ||
1.1 |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Date: Tue, 15 Jun 2010 08:32:20 +0200
Subject: URGENT: SSO from Moodle to Mahara
From: Gregor Anzelj <email address hidden>
...
As you suggested, I've added internal as a parent to xmlrpc.
I couldn't log in with my username/password from Moodle. Upon inspection od
database I've discovered that the records for the users, that were added to
mhr_usr table contained only their usernames, but no passwords. So I could
login as any user (from Moodle) just by typing their username...
I think that the password should be also added when creating records in
table mhr_usr. What do you think?
Regards, Gregor
P.S. I can file a bug, but I wanted to contact you first...
--
----------
Gregor Anzelj, prof.
Gimnazija Ledina, Ljubljana
CVE References
Changed in mahara: | |
status: | Confirmed → Fix Committed |
importance: | Critical → Medium |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
visibility: | private → public |
Mahara does not have access to the Moodle passwords during SSO, so we cannot set them. Francois suggested the easiest fix would be to disallow all internal auth logins for users with no password.