Jaws 0.4 Security fix

JAWS 0.4 has a security bug in gadgets/controlpanel.php that allows to login to JAWS Control Panel doing a sql injection to login query.


If you change the function crypt_form in your templates/controlpanel/login.html like this:

function crypt_form(form) {
   var new_password = calcMD5(form.password.value);
   form.crypted_password.value = "' or '2'='2";
   form.password.value = "";
   return true;

To fix this issue, please replace your gadgets/controlpanel.php with this:


Thanks to Fernando Quintero for report it :-D