From fcd5380de34790f6fbd69704a260e2c3fb2a883c Mon Sep 17 00:00:00 2001 From: seb Date: Sun, 30 Aug 2020 15:26:12 +0200 Subject: [PATCH] upgrade version, fix security issue --- magmi/ReleaseNotes.txt | 6 ++++++ magmi/inc/magmi_auth.php | 4 ++-- magmi/inc/magmi_version.php | 4 ++-- magmi/web/security.php | 2 +- 4 files changed, 11 insertions(+), 5 deletions(-) diff --git a/magmi/ReleaseNotes.txt b/magmi/ReleaseNotes.txt index 7cd2f9cf..cf91c830 100644 --- a/magmi/ReleaseNotes.txt +++ b/magmi/ReleaseNotes.txt @@ -1,3 +1,9 @@ +------------------------------------------------ +- RELEASE NOTES FOR MAGMI 0.7.24 - +------------------------------------------------- + +IMPORTANT Security fix, remove default login magmi:magmi since it can be exploited. + ------------------------------------------------ - RELEASE NOTES FOR MAGMI 0.7.23 - ------------------------------------------------- diff --git a/magmi/inc/magmi_auth.php b/magmi/inc/magmi_auth.php index f759de14..37c79d8d 100644 --- a/magmi/inc/magmi_auth.php +++ b/magmi/inc/magmi_auth.php @@ -34,7 +34,7 @@ public function __construct($user, $pass) public function authenticate() { if (!$this->_hasDB) { - return ($this->user == 'magmi' && $this->pass == 'magmi'); + die("Please create magmi.ini file in magmi/conf directory , by copying & editing magmi.ini.default file and filling appropriate values"); } $tn=$this->tablename('admin_user'); $result = $this->select("SELECT * FROM $tn WHERE username = ?", array($this->user))->fetch(PDO::FETCH_ASSOC); @@ -53,7 +53,7 @@ private function validatePass($hash, $pass) return $valid; } - + /** * Generate Argon2ID13 hash. * Got from \Magento\Framework\Encryption\Encryptor diff --git a/magmi/inc/magmi_version.php b/magmi/inc/magmi_version.php index 971f8dd2..bfa3a2a4 100644 --- a/magmi/inc/magmi_version.php +++ b/magmi/inc/magmi_version.php @@ -1,5 +1,5 @@