[rt-users] Able to login with fake password

Percynski, Fred fpercynski at hdms.com
Mon Aug 18 13:40:37 EDT 2008


I get an error each time I try to login to RT.  And even worse, I found
that I can login with a fake password.

-------  Start of error message -----
System error

error:  Can't use an undefined value as an ARRAY reference at
/opt/rt3/local/lib/RT/User_Vendor.pm line 56.
 
context:  unable to open file   
 
code stack:  /opt/rt3/local/lib/RT/User_Vendor.pm:56
/opt/rt3/local/lib/RT/User_Vendor.pm:359
/opt/rt3/lib/RT/CurrentUser.pm:309
/opt/rt3/share/html/autohandler:247
 
Can't use an undefined value as an ARRAY reference at
/opt/rt3/local/lib/RT/User_Vendor.pm line 56.

Trace begun at /usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Exceptions.pm
line 129
HTML::Mason::Exceptions::rethrow_exception('Can\'t use an undefined
value as an ARRAY reference at /opt/rt3/local/lib/RT/User_Vendor.pm line
56.^J') called at /opt/rt3/local/lib/RT/User_Vendor.pm line 56
RT::User::IsExternalPassword('RT::User=HASH(0xb9690c0)',
'boguspassword') called at /opt/rt3/local/lib/RT/User_Vendor.pm line 359
RT::User::IsPassword('RT::User=HASH(0xb9690c0)', 'boguspassword') called
at /opt/rt3/lib/RT/CurrentUser.pm line 309
RT::CurrentUser::IsPassword('RT::CurrentUser=HASH(0xb990af4)',
'boguspassword') called at /opt/rt3/share/html/autohandler line 247
HTML::Mason::Commands::__ANON__('pass', 'boguspassword', 'user',
'fpercynski') called at
/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Component.pm line 135
HTML::Mason::Component::run('HTML::Mason::Component::FileBased=HASH(0xb3
6f2c0)', 'pass', 'boguspassword', 'user', 'fpercynski') called at
/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Request.pm line 1273
eval {...} at /usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Request.pm line
1268
HTML::Mason::Request::comp(undef, undef, undef, 'pass', 'boguspassword',
'user', 'fpercynski') called at
/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Request.pm line 467
eval {...} at /usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Request.pm line
467
eval {...} at /usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Request.pm line
419
HTML::Mason::Request::exec('HTML::Mason::Request::ApacheHandler=HASH(0xb
99677c)') called at
/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/ApacheHandler.pm line 168
HTML::Mason::Request::ApacheHandler::exec('HTML::Mason::Request::ApacheH
andler=HASH(0xb99677c)') called at
/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/ApacheHandler.pm line 825
HTML::Mason::ApacheHandler::handle_request('HTML::Mason::ApacheHandler=H
ASH(0x9f95b18)', 'Apache2::RequestRec=SCALAR(0xb9568a0)') called at
/opt/rt3/bin/webmux.pl line 125
eval {...} at /opt/rt3/bin/webmux.pl line 125
RT::Mason::handler('Apache2::RequestRec=SCALAR(0xb9568a0)') called at -e
line 0
eval {...} at -e line 0
-------  End of error message -----


In the above error message the word "boguspassword" is the plain text
representation of the password that I typed in.   Which is not my real
password and should not allow me to login.  But if I press F5 in my
browser and resubmit the information I am then successfully logged in to
RT under my account.
Obviously I have configured something in a bad way.  But I can't figure
out what. 
About two months ago I was trying to get RT to authenticate against
Active Directory.   I tried to install RT::Authen::ExternalAuth but it
never finished successfully.  Nonetheless part of the installation must
have worked because I have an $RTHOME/local/etc/Authen-ExternalAuth/
directory.   Searching the archives makes me believe the error message
above is in some way related to external authentication.   I have not
manually modified $RTHOME/etc/RT_SiteConfig.pm in any way to use
external authentication. 
RT version is 3.6.6


-
The information contained in this message is privileged and confidential. It is intended only for the recipient or entity listed above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by replying to the message and promptly deleting it from your computer. Thank you. Health Data Management Solutions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20080818/604a4b76/attachment.htm>


More information about the rt-users mailing list