I turned on Social Login and set Enable social login: Use social login only. The login form is now hidden from the login screen and there are buttons for social login only. It seems that the setting works well but unfortunately, it works only at the surface.
There is a security issue as the app still accepts the request for non-social login and does not block logins by username and password. I believe that this should be solved by adding checking of CFG_ENABLE_SOCIAL_LOGIN in modules\users\actions\login.php and if it equals 2 (use social login only), users::login() should not be initiated but the execution of the script should be stopped.
Social login only - form is hidden but app still accepts data - security issue
- support
- Site Admin
- Posts: 6222
- Joined: 19 Oct 2014, 18:22
- Name: Sergey Kharchishin
- Location: Russia, Evpatoriya
Re: Social login only - form is hidden but app still accepts data - security issue
Agree. File from archive replace to modules\users\actions\
Fix will be in 2.9.1
Fix will be in 2.9.1
- Attachments
-
- login.zip
- (766 Bytes) Downloaded 75 times