mikebhouston
commented
1 month ago
### Steps to reproduce
1. Browse to the Teampass login page.
2. Enter admin or any valid username and any random password.
3. Successful login.
### Expected behaviour
I should be told that the credentials are incorrect. Fresh install and still configuring setup of first two users, I realized that my User1 and User2 passwords didn't matter what I put, it would still let me in. I couldn't view item passwords, but I could browse the folders and see the items. Since then I switched back to maintenance mode, but realize that it's also affecting the admin account.
### Actual behaviour
It allows me into the Teampass system with incorrect password given.
### Server configuration
**Operating system**:
Ubuntu 22.04 hosted on OpenVZ
**Web server:**
Apache2.4.53
**Database:**
5.5.5-10.6.18-MariaDB-0ubuntu0.22.04.1
**PHP version:**
8.1.2-1ubuntu2.18
**Teampass version:**
3.1.2.120
**Teampass configuration file:**
I can't find the location of the config file.
**Updated from an older Teampass or fresh install:**
Fresh install using:
https://documentation.teampass.net/#/install/installation?id=on-gnulinux-server
### Client configuration
**Browser:**
Chrome 129.0.6668.60
**Operating system:**
Windows 10
### Logs
#### Web server error log
```
[28/Sep/2024:00:44:09 -0500] "GET /TeamPass/index.php HTTP/1.1" 200 26072 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"
[28/Sep/2024:00:44:09 -0500] "GET /includes/images/teampass-pwa.png HTTP/1.1" 404 522 "https://mysite.com/TeamPass/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"
[28/Sep/2024:00:44:16 -0500] "POST /TeamPass/sources/identify.php HTTP/1.1" 200 1580 "https://mysite.com/TeamPass/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"
[28/Sep/2024:00:44:16 -0500] "POST /TeamPass/sources/identify.php HTTP/1.1" 200 1514 "https://mysite.com/TeamPass/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"
[28/Sep/2024:00:44:16 -0500] "GET /TeamPass/index.php?page=admin HTTP/1.1" 200 25036 "https://mysite.com/TeamPass/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"
[28/Sep/2024:00:44:16 -0500] "POST /TeamPass/sources/main.queries.php HTTP/1.1" 200 1373 "https://mysite.com/TeamPass/index.php?page=admin" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"
[28/Sep/2024:00:44:17 -0500] "GET /includes/images/teampass-pwa.png HTTP/1.1" 404 522 "https://mysite.com/TeamPass/index.php?page=admin" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"
[28/Sep/2024:00:44:17 -0500] "POST /TeamPass/sources/main.queries.php HTTP/1.1" 200 850 "https://mysite.com/TeamPass/index.php?page=admin" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"
[28/Sep/2024:00:44:17 -0500] "POST /TeamPass/sources/main.queries.php HTTP/1.1" 200 1125 "https://mysite.com/TeamPass/index.php?page=admin" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"
[28/Sep/2024:00:44:17 -0500] "POST /TeamPass/sources/main.queries.php HTTP/1.1" 200 884 "https://mysite.com/TeamPass/index.php?page=admin" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"
[28/Sep/2024:00:44:19 -0500] "POST /TeamPass/sources/admin.queries.php HTTP/1.1" 200 3620 "https://mysite.com/TeamPass/index.php?page=admin" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"
```
#### Log from the web-browser developer console (CTRL + SHIFT + i)
```
Insert the log here and especially the answer of the query that failed.
```
nilsteampassnet