Forums | Mahara Community
Support
/
Any password can login to accounts
27 October 2010, 20:39
I am not the tech guy at our school but I am the primary user so I will try to explain as clearly as possible. I really hope this is an easy fix.
We have a Moodle and Mahara installation and students use the same login for both. However by accident we have discovered that a student can login to any account by entering the username and any password. My tech guy asked me to find out about authentication issues. I have searched the forums and web but cannot find an answer.
So at present any student can login to any account (including admin accounts).
Help Please and thanks!
27 October 2010, 23:22
Trevor,
Have you by any chance configured the 'None' authentication plugin for any of your institutions? You can find out in the admin area, by editing every institution and looking at the list of authentication plugins. If you see 'None' in any institution, delete it.
(As it says in the drop-down, the 'None' auth plugin is for testing only and will let anyone log in with any username/password).
Richard.
28 October 2010, 19:46
thanks, I have found the plugin that you refer to. However it will not let me delete it yet. I am receiving the following message:
We can't remove this auth plugin, as its being used by some users. You must update their records before you can delete this plugin.
I am happy if one of the admins wants to delete this forum and I can try to solve the issue through the Bug fix option (but I don't think this is a bug, I think it is a user error, namely me!)
Thanks for you very quick help so far.
Trevor
28 October 2010, 20:24
thanks I have fixed the problem. I had to remove every user, then remove the [none] plugin then put the users back in again,
thankyou for your help
29 October 2010, 19:25
Hi Trevor,
Glad to know you've resolved this problem!
Since it's not a security issue, but rather a configuration problem, I don't think we should delete this thread. It might be useful to others as well :)
Cheers,
Francois
28 October 2010, 4:27
Also, for the benefit of anybody who thinks they might have found a security vulnerability, the best way to report these is through the bug tracker (there is a checkbox to click so that the bug is hidden from the public until fixed). Alternatively, you can also email [email protected] if you are unsure.
Doing either of these will allow you to report all of the details that can help us track down the issue without revealing anything to the bad guys.
Cheers,
Francois