Actions
Bug #85035
closedSecurity: Manipulate pid for FE login
Status:
Rejected
Priority:
Must have
Assignee:
-
Category:
-
Target version:
-
Start date:
2018-05-17
Due date:
% Done:
0%
Estimated time:
TYPO3 Version:
7
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:
Description
A user can login with EXT:felogin by changing the hidden input field "pid", e.g. to
<input name="pid" value="1,2,3,4,5,6,7,8,9,10,...,999" type="hidden">
Let's assume you have a TYPO3 BE which contains several websites. If a user has a valid login for one of these websites, he can login to all other websites, too.
The pid shouldn't be shown and submitted in frontend, it should be configurable by TypoScript.
Actions