Skip to content

Commit

Permalink
upgrade version, fix security issue
Browse files Browse the repository at this point in the history
  • Loading branch information
@dweeves @tmotyl
dweeves authored and tmotyl committed Sep 1, 2020
1 parent ccce6ef commit fcd5380
Show file tree
Hide file tree
Showing 4 changed files with 11 additions and 5 deletions.
6 changes: 6 additions & 0 deletions magmi/ReleaseNotes.txt
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
------------------------------------------------
- RELEASE NOTES FOR MAGMI 0.7.24 -
-------------------------------------------------

IMPORTANT Security fix, remove default login magmi:magmi since it can be exploited.

------------------------------------------------
- RELEASE NOTES FOR MAGMI 0.7.23 -
-------------------------------------------------
Expand Down
4 changes: 2 additions & 2 deletions magmi/inc/magmi_auth.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ public function __construct($user, $pass)
public function authenticate()
{
if (!$this->_hasDB) {
return ($this->user == 'magmi' && $this->pass == 'magmi');
die("Please create magmi.ini file in magmi/conf directory , by copying & editing magmi.ini.default file and filling appropriate values");
}
$tn=$this->tablename('admin_user');
$result = $this->select("SELECT * FROM $tn WHERE username = ?", array($this->user))->fetch(PDO::FETCH_ASSOC);
Expand All @@ -53,7 +53,7 @@ private function validatePass($hash, $pass)

return $valid;
}

/**
* Generate Argon2ID13 hash.
* Got from \Magento\Framework\Encryption\Encryptor
Expand Down
4 changes: 2 additions & 2 deletions magmi/inc/magmi_version.php
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<?php
class Magmi_Version
{
public static $version="0.7.23-git";
}
public static $version="0.7.24-git";
}
2 changes: 1 addition & 1 deletion magmi/web/security.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ function authenticate($username="", $password="")
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate:Basic realm="Magmi"');
header('HTTP/1.0 401 Unauthorized');
echo 'You must be logged in to use Magmi';
echo 'You must be logged into magento admin to use Magmi';
die();
} else {
if (!authenticate($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])) {
Expand Down

0 comments on commit fcd5380

Please sign in to comment.