Thursday, February 28, 2008

New Forge: Missing the bug!

Forge 2.0 was announced yesterday, and Jay and I were bracing ourselves for an avalanche of bugs, which did not come.
When Bug#34916 (Login not working on new forge site) was reported, I thought nothing of it. It was simply the wrong environment. The reporter could not log in, because he did not have an account.

I explained the problem, and felt good about it.
Sometimes I experienced reporting a bug and being told that it was intended behavior, not a bug, read the manual, thanks for writing, and that was it. So dry and clueless. Not inspiring for a further analysis.
So I took some minutes to explain what had happened, before closing the bug with the fatal words.
And the reporter, Diego Medina, wrote back, saying that indeed he did not have an account on wiki, and thus there was no bug. However, he reported a lack of message on a failed login, which made me suspicious.
So I tried logging in with a non existing account, and I was refused. Then I tried my account, with a wrong password. To my surprise, I was admitted. Then I logged out and I logged in again as Jay Pipes, with a wrong password, of course, because I don't know it.
Bingo! The system accepted my login. I was logged in as Jay. So the Forge was not checking the password at all. Something must have gone awry during the latest bug fixes.
I alerted Jay (not before changing his profile to a "lazy guy", though!) and he fixed the vulnerability in a few minutes. Apparently nobody noticed.
I found out the security hole thanks to Diego's suggestion. He actually found the bug, but he did not realize how serious it was. I feel positive vibes because I triggered Diego's comment with my explanation.
Note to bug verifiers (not all of them, but someone): sometimes, being kind can win you back some benefits!
Thanks Diego, for sending me to the right direction!
Community, please keep testing the new Forge!

1 comment:

fmpwizard said...

I was very glad when I saw your answer with a detail explanation of how the login was suppose to work and thanks for taking the time to look beyond my report.

I look forward to your MySQL Proxy Tutorial at the Conference!

Vote on Planet MySQL