Bug #24137
EM stores credentials in BE_USER->uc
| Status: | Under Review | Start date: | 2010-11-19 | |
|---|---|---|---|---|
| Priority: | Should have | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - | |||
| TYPO3 Version: | 4.7 | Complexity: | ||
| PHP Version: | 5.3 | |||
| Votes: | 0 |
Description
that is a bad situation, i can read my password in configuration module, see attached screenshot.
Suggestion:
Use a fe_user for the credentials.
(issue imported from #M16482)
History
Updated by Steffen Gebert over 2 years ago
I don't understand, how a fe_user should help.
Password could be stored encrypted - but with which key? It would prevent to read it directly, but if sb. has enough access, it can, of ourse, be decrypted.
Other possibility would be to not use the t3o credentials, but allow to use kind of API keys and enter it in the installation. This key then could allow to only handle extension uploads or keys, but not logins for t3o.
Updated by Michael Stucki about 2 years ago
- Target version deleted (
1076)
Updated by Christian Kuhn over 1 year ago
- TYPO3 Version changed from 4.5 to 4.7
- Patch is reviewed set to No
- Has patch set to No
This is not a direct security problem.
We discussed this with the security team and came to the following conclusion:
It would be best, if we do not store the password at all. To achive that, we should remove the check for saved user password to display the "TER upload" tab in new em. We should then remove the 'save username + password' functionality from settings tab. Furthermore, we should add an update wizard that cycles through all be_users and removes the credentials.
This could be done for 4.7.
Updated by Gerrit Code Review 10 months ago
- Status changed from New to Under Review
Patch set 1 for branch master_new has been pushed to the review server.
It is available at http://review.typo3.org/13325
Updated by Mario Rimann 10 months ago
The pushed change contains the upgrade wizard. I gave up with the Extension Manager changes as I don't get it right now.
Updated by Helmut Hummel 10 months ago
- Project changed from Core Security to Core
This low priority issue can be handled publicly.
Solution: Introduce a new report, that checks if the password has been saved in uc, for master: additionally introduce an upgrade wizard that removes the password from all users if there are any
Updated by Gerrit Code Review 10 months ago
Patch set 2 for branch master_new has been pushed to the review server.
It is available at http://review.typo3.org/13325
Updated by Gerrit Code Review 10 months ago
Patch set 3 for branch master_new has been pushed to the review server.
It is available at http://review.typo3.org/13325