I'm evaluating Untangle, and it seems that by posting a modified URL in a web browser, a user can authenticate as any user without needing a password
http://<untangleIP>/adpb/registration?username=testuser&domain=<my domain>&hostname=<computername>&action=login
I can't see it taking my students more than a few days to figure this out; even if the login script is hidden, it's not hard to find a copy of it online.
Any way to prevent this?
*edit* I see this has already been discussed. Pretty much kills Untangle for us; teachers will string me up if they have to do a second login.
http://<untangleIP>/adpb/registration?username=testuser&domain=<my domain>&hostname=<computername>&action=login
I can't see it taking my students more than a few days to figure this out; even if the login script is hidden, it's not hard to find a copy of it online.
Any way to prevent this?
*edit* I see this has already been discussed. Pretty much kills Untangle for us; teachers will string me up if they have to do a second login.