upgrade version, fix security issue

dweeves · Aug 30, 2020 · dde71de · dde71de
1 parent 18bd9ec
commit dde71de
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 3 deletions.
diff --git a/magmi/ReleaseNotes.txt b/magmi/ReleaseNotes.txt
@@ -1,3 +1,9 @@
+------------------------------------------------
+-     RELEASE NOTES FOR MAGMI 0.7.24           -
+-------------------------------------------------
+
+IMPORTANT Security fix, remove default login magmi:magmi since it can be exploited.
+
 ------------------------------------------------
 -     RELEASE NOTES FOR MAGMI 0.7.23           -
 -------------------------------------------------

diff --git a/magmi/inc/magmi_auth.php b/magmi/inc/magmi_auth.php
@@ -32,7 +32,9 @@ public function __construct($user,$pass){
 
 
     public function authenticate(){
-		if (!$this->_hasDB) return ($this->user == 'magmi' && $this->pass == 'magmi');
+        if(!$this->_hasDB) {
+            die("Please create magmi.ini file in magmi/conf directory , by copying & editing magmi.ini.default file and filling appropriate values");
+        }
 		$tn=$this->tablename('admin_user');
         $result = $this->select("SELECT * FROM $tn WHERE username = ?",array($this->user))->fetch(PDO::FETCH_ASSOC);
         return $this->validatePass($result['password'],$this->pass);

diff --git a/magmi/inc/magmi_version.php b/magmi/inc/magmi_version.php
@@ -1,5 +1,5 @@
 <?php
     	class Magmi_Version
     	{
-    		 public static $version="0.7.23-git";
+    		 public static $version="0.7.24-git";
     	}
diff --git a/magmi/web/security.php b/magmi/web/security.php
@@ -39,7 +39,7 @@ function authenticate($username="",$password=""){
 if (!isset($_SERVER['PHP_AUTH_USER'])) {
     header('WWW-Authenticate:Basic realm="Magmi"');
     header('HTTP/1.0 401 Unauthorized');
-    echo 'You must be logged in to use Magmi';
+    echo 'You must be logged into magento admin to use Magmi';
     die();
 } else {
     if (!authenticate($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW'])){