Security risk: Replace DB, login, move back original db, still logged in

[GoogleCodeExporter]

Steps to reproduce:
1. Stop owp
2. Copy production.sqlite3 to production.sqlite3.bak
3. Copy production.sqlite3 from the installtion into the db directory
4. start owp
4. Log into the web panel with admin/admin
5. stop owp
6. delete production.sqlite3
7. rename production.sqlite3.bak to production.sqlite
8. start owp

Actual result:
You remain logged in as the administrator user, despite the fact that you never 
entered that password. You also now have access to all the settings for that 
server that have been configured through owp

Expected result:
Should log you back out again.

Version of the product:
1.7 (  i think)

Server OS:
Ubuntu 10.04.2

Browser:
Firefox and Chrome

Additional information:

Original issue reported on code.google.com by nshe...@gmail.com on 31 Mar 2011 at 11:11

[GoogleCodeExporter]

Not sure if there is real reason to search the way how to fix this. If you have 
physical access to panel database you can do anything you like.

Original comment by sibprogrammer on 2 Apr 2011 at 11:29

[GoogleCodeExporter]

Original comment by sibprogrammer on 30 Apr 2012 at 5:32

• Added labels: Milestone-Future