Roundcube Community Forum
Release Support => Pending Issues => Topic started by: simplistsims on August 10, 2006, 10:31:08 AM
-
I noticed with the new version of roundcube I can still log in with only my password. I was told this flaw was resolved but it looks like it wasn't. I would really like to see the resolved aswell as other people. Anyone can try and use a dictionary attack to login without the need to find a e-mail address/login.
-
well I just tried to log in with ONLY my password, it it failed.. so I works for me ... 8)
Michael
-
what kinda error came up?
-
what kinda error came up?
"log in Failed"
Michael
-
Login failed for me as well.
-
I tried the passwords for a few different accounts and all mine failed as well. You're using the 0.1 Beta 2 version right?
-
yeah i am
-
"Login Failed" here too... ;)
-
login worked for me w/ only the password.
For those that have the problem 'fixed' do you have multiple users on your roundcube install?
I only have one account (mine) on my roundcube install, so I am just wondering if that has anything to do with it. This isnt a major concern of mine, since I am the only one that uses this and I am the only one that knows my password.
-
Yeah...have multiple users in my case.
-
What do you mean multiple users? RC does not know how many users are going to use it.
What setting in the config file are you talking about? Maybe that is the key. What ever config value you have set, maybe we don't.
-
My assumption was that they meant multiple records in the RC users table.
-
I have only one mail account (my own) and yes, I can login with only my password.
But I don't think this is a critical bug. The username is bla@domain.de for me and everyone can see it.
The password is the secret thing and without it you can do nothing :)
-
I checked it, and this is wat it gave,
fresh install, no users stored in the mysql database
-------
Logged in with user succesfully =>
logged out =>
closed browser (firefox) =>
opened new browser window entered only password; succesfully logged in =>
=>
opened new browser windows (ie) entered only password; succesfully logged in
-------
-------
Logged in with different user succesfully =>
logged out =>
closed browser (firefox) =>
opened new browser window, entered only password (for this user); logging in failed =>
=>
opened new browser windows (ie), entered only password (for this user); logging in failed
-------
-------
opened new browser window, entered only password for the first user I logged in with; succesfully logged in
-
For those that have the problem 'fixed' do you have multiple users on your roundcube install?
Yes 2 users ...
Michael
-
opened new browser window, entered only password (for this user); logging in failed =>
=>
opened new browser windows (ie), entered only password (for this user); logging in failed
-------
-------
opened new browser window, entered only password for the first user I logged in with; succesfully logged in
Well then, there you go. It looks like it is looking at the first record in the database and tries the password against that record.
Interesting.
-
...
[roundcube-root]/program/include/main.inc
on line 460 you should see something like this:
if ($sql_arr = $DB->fetch_assoc($sql_result))
...
The line then should look like this:
if ($sql_arr == $DB->fetch_assoc($sql_result))
...
I was a little too enthousiastic with posting I think :), because if you make the change I wrote above, the preferences are not fetched from the database (at least in my case).
Now I just modified the 'rcmail_login' function in program/include/main.inc so that on line 423 I inserted:
if (empty($user) || empty($pass)) return false;
and this does work correctly ;)
-
I can duplicate this, too.
The first user created in my system can logon without entering a user name. Subsequent users all need both username and password. This applies to Firefox and IE6.
I don't think it's a major crisis because anybody with an email from me can guess my username with no effort at all, but it is still a little disturbing!
-
The default alias for any user is blank. Because of that a blank username pulls up the first user entered that doesn't yet have an alias. If you give the first user added an alias the second one is assumed when no username is supplied, etc.
Fix it with this patch:
--- main.bak.inc
+++ main.inc
@@ -451,7 +451,7 @@
// query if user already registered
$sql_result = $DB->query("SELECT user_id, username, language, preferences
FROM ".get_table_name('users')."
- WHERE mail_host=? AND (username=? OR alias=?)",
+ WHERE mail_host=? AND (username=? OR (alias=? AND alias!=''))",
$host,
$user,
$user);
-
Just thought I would note that I am able to login without a username on our test installation as well. As stated earlier, it is the first user only.
Kevin L.
-
The default alias for any user is blank. Because of that a blank username pulls up the first user entered that doesn't yet have an alias. If you give the first user added an alias the second one is assumed when no username is supplied, etc.
Fix it with this patch:
--- main.bak.inc
+++ main.inc
@@ -451,7 +451,7 @@
// query if user already registered
$sql_result = $DB->query("SELECT user_id, username, language, preferences
FROM ".get_table_name('users')."
- WHERE mail_host=? AND (username=? OR alias=?)",
+ WHERE mail_host=? AND (username=? OR (alias=? AND alias!=''))",
$host,
$user,
$user);
Using this code breaks Preferences fetching from the database...
Use (as suggested somewhere) :
--- main.inc.old 2006-08-28 20:33:44.000000000 +0200
+++ main.inc 2006-08-28 20:33:08.000000000 +0200
@@ -420,6 +420,8 @@
global $CONFIG, $IMAP, $DB, $sess_user_lang;
$user_id = NULL;
+ if (!$user) return FALSE;
+
if (!$host)
$host = $CONFIG['default_host'];
-
I have the same issue on .1 beta2. There are 6 users in my Roundcube database and can login as the first user listed with just the password. It does not appear to be a browser cache issue as it happens on IE and Firefox on the same machine and also Firefox on a seperate machine.
1) Log in with username and password on machine A
2) Log out on machine A
3) Log in with just password on machine A, or B, or C, ....
I checked the options in my config files and didn't find any that affected the issue.