change to html/includes/authenticate.inc.php broke apache's AuthBasicFake . [SEC=UNCLASSIFIED]
Adam,
First up, this happened a long time ago. It's just taken till now to find why it broke (cause i have free time, i'm testing 0.16.9.8118 and found the error again)
The problem lies in line 200 of html/includes/authenticate.inc.php (v0.16.9.8118) if (!$_SESSION['authenticated'] && (authenticate($_SESSION['username'], $auth_password) || // login/password
in older versions, "$auth_password" was "$_SESSION['password']".
by replacing "$auth_password" with "$_SESSION['password']"., AuthBasicFake works again.
I can't see where "$auth_password" is initialized but it's not my code so i'll not assume too much more than that.
thanks
Peter Hine Senior Technical Support Engineer (Servers) Corporate Services | Federal Court of Australia
********************************************************************** The information contained in this e-mail (including any attachments) is for the exclusive use of the addressee. If you are not the intended recipient please notify the sender immediately and delete this e-mail. It is noted that legal privilege is not waived because you have read this e-mail. **********************************************************************
Hi,
$auth_password initialized above (see lines 133-142 and 160 in same file).
$_SESSION['password'] not used anymore, it always empty and your code incorrect.
what is AuthBasicFake, for what auth mechanism it is for?
On Tue, Oct 25, 2016 at 5:16 AM, Peter.Hine@familycourt.gov.au wrote:
Adam,
First up, this happened a long time ago. It's just taken till now to find why it broke (cause i have free time, i'm testing 0.16.9.8118 and found the error again)
The problem lies in line 200 of html/includes/authenticate.inc.php (v0.16.9.8118) if (!$_SESSION['authenticated'] && (authenticate($_SESSION['username'], $auth_password) || // login/password
in older versions, "$auth_password" was "$_SESSION['password']".
by replacing "$auth_password" with "$_SESSION['password']"., AuthBasicFake works again.
I can't see where "$auth_password" is initialized but it's not my code so i'll not assume too much more than that.
thanks
Peter Hine Senior Technical Support Engineer (Servers) Corporate Services | Federal Court of Australia
The information contained in this e-mail (including any attachments) is for the exclusive use of the addressee. If you are not the intended recipient please notify the sender immediately and delete this e-mail. It is noted that legal privilege is not waived because you have read this e-mail.
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Mike, "what is AuthBasicFake, for what auth mechanism it is for?" It's an apache function to allow automatic authentication. In this instance, we are on a private network where people are already logged into a workstation and there is no reason log in to a read-only monitoring solution. I have nagios and mrtg setup the same.
I understand that the world seems to think you need to login to look at monitoring, but i believe differently. The only person who needs to do that is the person who is making a change. In the case of Observium, mrtg and nagios, almost all of this is done at the command-line.
so in my apache conf "/etc/apache2/vhosts.d/observium.conf" i have AuthBasicFake guest guest Require all granted
and the guest user is level 5, in observium.
I use this cause i saw no obvious solution inside for Observium for automatic read-only behaviour.
thanks
Peter Hine Senior Technical Support Engineer (Servers) Corporate Services | Federal Court of Australia
********************************************************************** The information contained in this e-mail (including any attachments) is for the exclusive use of the addressee. If you are not the intended recipient please notify the sender immediately and delete this e-mail. It is noted that legal privilege is not waived because you have read this e-mail. **********************************************************************
participants (2)
-
Mike Stupalov -
Peter.Hine@familycourt.gov.au