jdk Posted April 30, 2008 Share Posted April 30, 2008 This is a major security issue. I went inside of WHMCS and got the integration code for the client login from my sites homepage. I put it on the homepage and entered only the email address. I clicked login and it allowed me to login to my test account. I figured it was a stored cookie. I clicked logout and went back. It allowed me to login again just using the email address. OK, so I clicked logout, created a new test account, and entered only the email address. Clicked login and I WAS IN. This only worked for emails in the client system. This needs to be fixed to check the login and password on all platforms. I am using Windows Vista and IE7 ALSO I took the URL http://www.domain.com/billing/dologin.php?goto=clientarea&username=email@email.com and it took my to the client area. We need to get this fixed FAST Link to comment Share on other sites More sharing options...
generic Posted April 30, 2008 Share Posted April 30, 2008 this does not occur on the demo, from the other issues you have suffered, i would suggest its something with your browser. maybe like your still logged in as admin or something. maybe logging out is not actually logging you out on YOUR server (due to some php setting). Link to comment Share on other sites More sharing options...
jdk Posted April 30, 2008 Author Share Posted April 30, 2008 Being logged in as admin would allow me to login like this? Link to comment Share on other sites More sharing options...
generic Posted April 30, 2008 Share Posted April 30, 2008 i believe if you are logged in as an admin, you can login to any account without a password. anyone, am i correct? Link to comment Share on other sites More sharing options...
joe123 Posted April 30, 2008 Share Posted April 30, 2008 i believe if you are logged in as an admin, you can login to any account without a password. anyone, am i correct? you are Correct ! JDK go to the admin area and click one of your clients , and point your mouse to "login as client" you will see something like this https://www.domain.com/clients/dologin.php?username=account@domain.com so it does not matter where you enter your clients email address and login because it's like clicking that link . Link to comment Share on other sites More sharing options...
MACscr Posted April 30, 2008 Share Posted April 30, 2008 LOL, i have to laugh at this one. What makes it worse/funny is that if it really was a security issue, why in the world would you post it on the forums? Security issues should not be made public until after the developer is notified and given a chance to make a patch. Link to comment Share on other sites More sharing options...
Recommended Posts