• Replies 6 replies
  • Subscribers 246 subscribers
  • Views 61 views
  • Users 0 members are here
Related

Tessitura SOAP API login bug?

Micah Walter
$organization

Hi,

I'm a little new to the Tessitura SOAP API, but I have been tinkering with it for a bit and have noticed that for accounts that were created in the Tessitura admin area ( not via the API ) I can login via their email address as the username and any password I want. ??

I am going to assume we have something configured incorrectly in Tessitura, but this seems like a little bit of a problem.

Also, 580 page API doc in Word format?! Really?

m

  • $organization

    This seems to happen when you create a "Web Login" via the admin interface and it puts the user's Web Login account in a Temporary state. From what I understand this is intended to allow a user to have a chance to be prompted to create their password, but from what I can tell, you can actually just login with any old password when its in this state.

    -m

  • $organization in reply to Micah Walter

    This sounds like what we discovered last month -- actually if you use the client application to change the login ID itself, it sets the stored password hash to null, which allows allows you to log in with any password. We've reported it and last I heard it's in a development queue as a defect.

  • $organization
    HI,
    I hope this is a high priority item. It seems like a major security issue. Can you let me know when its planned to be fixed?
    Micah


    On Apr 16, 2014, at 3:21 PM, Nick Reilingh <bounce-nicholasreilingh4883@tessituranetwork.com> wrote:

    This sounds like what we discovered last month -- actually if you use the client application to change the login ID itself, it sets the stored password hash to null, which allows allows you to log in with any password. We've reported it and last I heard it's in a development queue as a defect.

    From: Micah Walter <bounce-micahwalter1468@tessituranetwork.com>
    Sent: 4/11/2014 3:11:59 PM

    This seems to happen when you create a "Web Login" via the admin interface and it puts the user's Web Login account in a Temporary state. From what I understand this is intended to allow a user to have a chance to be prompted to create their password, but from what I can tell, you can actually just login with any old password when its in this state.

    -m




    You were sent this email automatically because you subscribed to the Tessitura Web forum. You may reply to this message to post to the Web forum or visit the site to search, read and post to the forums. In the interest of keeping the forum posts from becoming cluttered, we encourage you to delete previous message text from your reply before sending. Thank you!

  • $organization in reply to Micah Walter

    This has been fixed in v12.1.  The fix will also be included if any other builds of v12.0 are released.  Thanks.

  • $organization in reply to Chuck Reif

    I agree with Micah that this is a major security issue. Is it possible to get a hotfix out for v12.0? Our do you have any recommended workarounds?

     

    Thanks,

    Patrick  

  • $organization in reply to Patrick FitzGerald

    I just noticed this while perusing the release notes for today's hotfix, but this was fixed in HF8 for 12.0.3.