Social login only - form is hidden but app still accepts data - security issue

Any critical bugs will be fixed within 24-48 hours.
Post Reply
swar
Posts: 60
Joined: 19 Dec 2020, 04:11
Name: A.R.
Location: Bratislava

Social login only - form is hidden but app still accepts data - security issue

Post by swar »

I turned on Social Login and set Enable social login: Use social login only. The login form is now hidden from the login screen and there are buttons for social login only. It seems that the setting works well but unfortunately, it works only at the surface.

There is a security issue as the app still accepts the request for non-social login and does not block logins by username and password. I believe that this should be solved by adding checking of CFG_ENABLE_SOCIAL_LOGIN in modules\users\actions\login.php and if it equals 2 (use social login only), users::login() should not be initiated but the execution of the script should be stopped.
Top
User avatar
support
Site Admin
Posts: 6222
Joined: 19 Oct 2014, 18:22
Name: Sergey Kharchishin
Location: Russia, Evpatoriya

Re: Social login only - form is hidden but app still accepts data - security issue

Post by support »

Agree. File from archive replace to modules\users\actions\
Fix will be in 2.9.1
Attachments
login.zip
(766 Bytes) Downloaded 75 times
Top
Post Reply

Return to “Bug Report version 2.9”