![]() I'm quite confident those changes address the security issues, and shall make this version available on I did send you a copy with the security code change yesterday to your gmail address to check out. The Joomla parameters now only allow for two choices - 'none' or 'member'.Ī choice to manually copy the bridge file across if the webtrees directory cannot be set to writeable. ![]() Do not confuse criticism of the code with criticism of the author.īecause it would be irresponsible to leave those versions available for download?Īnyway, I have now made a fair few adjustments to the program:Ī unique code is now used to authenticate Joomla with webtrees, only after the user has been verified in Joomla. If you publish open source code, you are exposing it to scrutiny and criticism. I know the PGV/webtrees side intimately, but have no knowledge/experience of these CMS. If you did indeed search for a module like this, you'll have found a great number of posts by me - all asking for people who have knowledge of Joomla, Drupal, etc., to collaborate on such a module. It was a *lot* of work/stress that could have been easily avoided. On PGV, two of the 4.x.y releases were caused by this sort of module - we were forced to alter PGV slightly (to break compatibility), and then push out upgrades, so that people who'd unwittingly downloaded it would be secure. I've seen the same, defective, code copied time after time. If it is now secure, then why withdraw it? I shall witdraw the component from the general public. Still, it's quite secure now on my system so, thank you for the security pointers. Sadly, judging by the hostility encountered so far, I don't think that's likely to happen. However, as Joomla and webtrees use different encryption methods, the password field in webtrees would need to be set at varchar 100 instead of 64 for it to work correctly. But that would be harder than attempting to guess the password at the login screen. ![]() The only way in now is to guess the correct user password. Well, i've managed to overcome that as well by password matching. Now visit jwtbridge.php and hey-presto! You are logged in as an administrator. ![]() Simply set one cookie, containing the admin user name. It will either be in the contact links, or one of the CHAN records. Suppose I can "guess" the name of an admin user. However, good point, and I will make the webtrees language identifiers available as an option in the back end.Ĭonnexion ou Créer un compte pour participer à la conversation.įisharebest écrit: OK, I've installed the upgrade. It is derived from Joomla's standard language identifiers and is output depending on the language in use. The language one is not hard coded actually. New version available now which addresses that issue.Īnd there were others written? They must have been well hidden then, as I and many others looked and never found. ![]() Firebug lets me resize it to something bigger. Will people ever learn?įisharebest écrit: OK, after lots of guessing, the following URL seems to work It is showing me webtrees is a very small (300x150) iframe. This is the BLOODY SAME vulnerability that has affected EVERY webtrees-CMS bridge that has ever been written. Now, visit jwtbridge.php and hey-presto! An account with "manager" permissions!Ĭan I advise everybody to give this application a VERY wide berth. I'm using Firefox's web-developer toolbar, but lots of tools let you do this (not really important, but you've got en-GB hard-coded, which does not exist, so falls back to en_US.) The script picks up its parameters from cookies, so let me set a few. It creates a guest account and logs me in. (I got suspicious when it asked me to make the directory writable!!!) The installer has created a file jwtbridge.php in my webtrees install directory. OK, after lots of guessing, the following URL seems to work It is showing me webtrees is a very small (300x150) iframe. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |