[ZendTo] Username Locked Out Forever
Stewart Campbell
Stewart.Campbell at pulsion.co.uk
Mon Aug 22 09:16:59 BST 2016
Thanks Jules
FYI - the lack of an SPF record for the zend.to domain is causing messages posted to this mailing list to fail if the sending domain has implemented DMARC. If you add an SPF record to zend.to showing where mail can be sent from there should be no more problems.
Also, did you see my other message about an XSS vulnerability?
Thanks,
Stewart.
From: zendto-bounces at zend.to [mailto:zendto-bounces at zend.to] On Behalf Of Jules
Sent: 19 August 2016 17:14
To: ZendTo Users <zendto at zend.to>
Subject: Re: [ZendTo] Username Locked Out Forever
Stewart,
Oops! I'll take a look into this one as soon as I can. I suspect you're right, but I want to walk it through the code manually to confirm.
Thanks!
Jules.
On 19/08/2016 16:41, Stewart Campbell wrote:
In MySQL->DBLoginlogLength we have the following query
$query = sprintf("SELECT count(*) FROM loginlog
WHERE username = '%s' AND created > '%u'",
$this->database->real_escape_string(strtolower($user)),
$since);
The trouble is, $since is passed (in NSSDropbox->userFromAuthentication at least) from the preferences.php file which in my config is set to 86400. So we are basically saying where the username is in the loginlog table from 1970.
I think this needs to be changed to (time() - $since). I see the same function in SQLLite & SQLLite3.php files. Not sure if this is a similar problem.
_______________________________________________
ZendTo mailing list
ZendTo at zend.to<mailto:ZendTo at zend.to>
http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
Jules
--
Julian Field MEng MBCS CITP CEng
'Give a man a fish, and you feed him for a day.
Teach a man to fish, and he'll sit in a boat and drink beer all day.'
- Anon
www.Zend.To<http://www.Zend.To>
Twitter: @JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20160822/94d460a9/attachment.html
More information about the ZendTo
mailing list