From c7b5a8cf2e14ead5f2d201eab362520a9459aa05 Mon Sep 17 00:00:00 2001
From: Ermal <eri@pfsense.org>
Date: Thu, 21 Jul 2011 21:10:22 +0000
Subject: Plug a security risk on CP where a user can login by submitting a
 special request

---
 usr/local/captiveportal/index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/usr/local/captiveportal/index.php b/usr/local/captiveportal/index.php
index 0170a7a..b08a358 100755
--- a/usr/local/captiveportal/index.php
+++ b/usr/local/captiveportal/index.php
@@ -193,7 +193,7 @@ EOD;
         captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"FAILURE");
         portal_reply_page($redirurl, "error", $errormsg);
     }
-} else if ($_POST['accept'] && $clientip) {
+} else if ($_POST['accept'] && $clientip && $config['captiveportal']['auth_method'] == "none") {
     captiveportal_logportalauth("unauthenticated",$clientmac,$clientip,"ACCEPT");
     portal_allow($clientip, $clientmac, "unauthenticated");
 } else {
-- 
cgit v1.1