added a vuln for broken auth and session mgmt, issue #2

2013-05-21 00:58:11 -04:00
parent b2e2a1b4b0
commit 671095e030
4 changed files with 35 additions and 3 deletions
@@ -13,8 +13,14 @@ class User < ActiveRecord::Base
       auth = nil
       user = find_by_email(email)
       # I heard something about hashing, dunno, why bother really. Nobody will get access to my stuff!
-       if user && user.password == password
-        auth = user
+       if user
+         if user.password == password
+           auth = user
+         else
+          raise "Incorrect Password!"
+         end 
+       else
+          raise "#{email} doesn't exist!"
       end
       return auth
  end