0007006: Login with disabled account possible

ID	Project	Category	View Status	Date Submitted	Last Update
0007006	mantisbt	security	public	2006-04-29 11:31	2006-05-07 03:51

Reporter	hcey	Assigned To	vboctor
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.0.2
Fixed in Version	1.1.0a1

Summary	0007006: Login with disabled account possible
Description	With this bug it is possible to login although an account is disabled. I go to www.myserver.com/mantis/ and click "Lost your password?" and then enter the data of my disabled account. No I get an email with a password reset link. When I click it, I see the login-screen, but when I go then back to www.myserver.com/mantis/: Voila! I'm logged in with my disabled account!
Tags	No tags attached.

vboctor 2006-05-02 09:27 manager ~0012766	In lost_pwd.php: Replace: Line 41: $query = 'SELECT id FROM ' . $t_user_table . ' WHERE username = \'' . $c_username . '\' AND email = \'' . $c_email . '\''; With: $query = 'SELECT id FROM ' . $t_user_table . ' WHERE username = \'' . $c_username . '\' AND email = \'' . $c_email . '\' AND enabled=1'; I haven't got a chance to test this fix, if someone confirms that it is working I'll commit it into CVS. Otherwise, I'll get to it later.

tyler 2006-05-02 17:37 reporter ~0012768	I tested your query, and it works correctly, with it set, I get the following on the lost_pwd_page.php APPLICATION ERROR #1903 The provided information doesn't match any registered account! Without the fix, I get the email sent correctly to the disabled user. Fix works, go ahead and submit :)