matleppa
commented
4 years ago Problem is, that although the basic login form is disabled, it is done by hiding the HTML elements by using styles. (style="display: none"). Anyone with minor knowledge of HTML can open the code in browser and set the style setting to display; block, thus allowing the form to be visible.
In case the element in for is not included at all in sign-in page, there still is a loophole, because the code is open source. It is possible to get the page HTML code from Git, run it in a browser and set the element visible.
The solution is to prevent the sign-in in case the basic login form is disabled. When the restriction is done in server side, it does not matter if the login page is tampered.
by manipulating HTML code component visibility.