Jaws 0.4 Security fix

JAWS 0.4 has a security bug in gadgets/controlpanel.php that allows to login to JAWS Control Panel doing a sql injection to login query.

Example:

If you change the function crypt_form in your templates/controlpanel/login.html like this:

 
function crypt_form(form) {
   var new_password = calcMD5(form.password.value);
   form.crypted_password.value = "' or '2'='2";
   form.password.value = "";
   return true;
}
 

To fix this issue, please replace your gadgets/controlpanel.php with this:

http://jaws.com.mx/data/files/controlpanel.php.txt


Thanks to Fernando Quintero for report it :-D