I couldn't get you. Can you please explain?
what I wanted to say is that you don't have to enter an URL necessarily manually in the address bar of the browser. You could also use your browser, log out but keep the browser open, switch to your e-mail program and klick a link in an e-mail pointing to a page. Depending on the settings of your browser a new window is created, a new register tab in the existing window is created or simply the existing window is used.
I think this bug is fixed. Can you please try it again & let me know?
yes, the bug is fixed. When you log out you will be presented index.php with the login form. Manually calling challenge.php leads again to index.php with the login form.
What remains is the problem (security hole?) after entering no user name (later after attaching the user database probably same problem with invalid credentials?). I know, it's not quite fair. But doable...
You try to login without entering a username. You get a page with an error message. Then you manually call challenges.php and you get the list of challenges. I guess it shouldn't be possible to see the page without being logged on.