Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#821 closed defect (fixed)

server admin PHP pages can be brought up without logging in

Reported by: tonyfang Owned by: tonyfang
Priority: medium Milestone: 2.1
Component: General Version: 2.0.1
Severity: major Keywords:
Cc: External ID: 1184740

Description

The following server admin php pages can be accessed without logging in:

  • addserver.php
  • wmsproperties.php
  • wfsproperties.php
  • about.php

LoadSessionVars? is NOT preventing the php pages to be loaded. For all the other pages that do NOT load, it is calls to:

...that are preventing the php pages from loading.

In sessionvars.php LoadSessionVars?(), when the $webConfigFile is empty, I will throw an exception -- rather than simply return. If it simply returns, then the page will continue loading -- even though LoadSessionVars? has failed.

Also, the catch in LoadSessionVars? will now catch all Exceptions (not just MgException?). This is so it can catch the exception thrown when $webConfigFile is empty.

The final change is to resizablepagecomponents.php's LogoutWithFatalException?. I added a check for a null $site before calling $site->Close(). When the user has not logged in, then $site is still null, and a falal error results when we try to call Close on a null $site.

So now, when a user tries to access any of the pages (without logging in first), it punts you to the login.php screen -- and there's a message that says: "Fatal error encountered! Please login again."

Change History (2)

comment:1 Changed 10 years ago by tonyfang

Resolution: fixed
Status: newclosed

http://trac.osgeo.org/mapguide/changeset/3454

Fix #821: server admin PHP pages can be brought up without logging in

The following server admin php pages can be accessed without logging in:

  • addserver.php
  • wmsproperties.php
  • wfsproperties.php
  • about.php

When one of the server admin php pages is accessed, it calls LoadSessionVars? to initialize some variables. When the user has not logged in correctly yet, $webConfigFile does not exist (on the very first load), or $webConfigFile us empty (on all subsequent loads). LoadSessionVars? would simply return -- and the php would continue to load.

Most of the server admin php pages contained one of the following calls:

If the user has not logged on, and one of these calls was accessed, a fatal error would result -- and thus the php page would not load.

To correct this, in sessionvars.php LoadSessionVars?(), when the $webConfigFile does not exist or is empty, we will throw an AuthenticationFailedException?. In the catch section, we will try to catch the AuthenticationFailedException?. If we do, we will call LogoutWithAuthenticationFailedException?. Also we will try to catch Exception afterwards (rather than just MgException?) so we can catch all exceptions.

The final changes are to resizablepagecomponents.php.

In LogoutWithFatalException?. I added a check for a null $site before calling $site->Close(). When the user has not logged in, then $site is still null, and a fatal error results when we try to call Close on a null $site.

I also added the function LogoutWithAuthenticationFailedException?. It's the same as LogoutWithFatalException? -- except it displays the Authentication Failed message.

So now, when a user tries to access any of the pages (without logging in first), it punts you to the login.php screen -- and there's a message that says: "Authentication failed. Please enter a valid username and password."

comment:2 Changed 10 years ago by tonyfang

wrong changeset in the previous comment.

http://trac.osgeo.org/mapguide/changeset/3551

Note: See TracTickets for help on using tickets.