Nicolas Brouard INED schrieb:
Then, just try to enter your e-mail on a standard wiki
in place of your username and you will be authenticated to the first ID (and user_name)
having your e-mail.
Great Idea!
If someone could test this patch above and report the
security issues as well as performances, it could be great for us.
No idea about PHP and performance, but a possible security hole: Are
there any system messages that output the username when failing to
login? If these messages would use the username from the database query
(because of normalizing or something?) and not from $_POST, you could
find out users' email adresses.
Bergi