Bug #85035: Security: Manipulate pid for FE login - TYPO3 Core - TYPO3 Forge

Custom queries

12 LTS
Accessibility
Dashboard issues
Easy tasks
Extbase Issues
FAL Issues
FAL Sprint 2023
Hierarchical Issues
Issues reported for v11
JavaScript issues
JavaScript Issues (w/o Epics/Stories)
Most wanted Bugfixes
Most wanted Features
My open issues
New & Unassigned
No feedback within 90 days
Open Bugs
Open issues of 10
Page Tree Regressions after 2020-07-28
Recently modified
Regressions
Stabilization Issues
Usability or UX

Watchers (3)

Markus Klein
Mathias Brodala
Sven Burkert

Actions

Copy link

Bug #85035

closed

Security: Manipulate pid for FE login

Added by Sven Burkert about 6 years ago. Updated over 1 year ago.

Status:

Rejected

Priority:

Must have

Assignee:

Category:

Target version:

Start date:

2018-05-17

Due date:

% Done:

Estimated time:

TYPO3 Version:

PHP Version:

Tags:

Complexity:

Is Regression:

Sprint Focus:

Description

A user can login with EXT:felogin by changing the hidden input field "pid", e.g. to

<input name="pid" value="1,2,3,4,5,6,7,8,9,10,...,999" type="hidden">

Let's assume you have a TYPO3 BE which contains several websites. If a user has a valid login for one of these websites, he can login to all other websites, too.

The pid shouldn't be shown and submitted in frontend, it should be configurable by TypoScript.

Related issues 1 (0 open — 1 closed)

Related to TYPO3 Core - Task #97692: Streamline felogin documentation

Closed

2022-05-26

Actions

Issue # Delay: days Cancel

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Markus Klein about 6 years ago

Project changed from TYPO3 Core to 1716
Category deleted (~~Authentication~~)

Actions

Copy link

Updated by Markus Klein about 6 years ago

TYPO3 Version changed from 8 to 7

Actions

Copy link

Updated by Oliver Hader about 6 years ago

Category set to OW-A02: Broken Authentication

Okay, without focussing on PID values that means (just an assumption, not verified yet):

user (with valid login) is able to login int websiteA.com
user can clone the cookie for websiteB.com (where user would not have access in terms of fe_users record)
thus, a user is able to reuse it's session data in a different website scope

Actions

Copy link

Updated by Helmut Hummel almost 6 years ago

Since user authentication is performed before page id is resolved,
there is no way to set a pid list for only a part of the page tree (chicken/egg problem).
In which page tree we end up, we only know after authentication.

Therefore different pid for fe user storage is only useful for organizational purposes. It is not possible to use this for authorization.
Authorization can solely be controlled with user groups.

This means in a multi site setup and a requirement that fe users from one site don't have access to other sites,
the fact that a user successfully logged in, must not be used to restrict access. Instead access restriction must be done with user groups.

What could be possible though (but isn't implemented) is to enforce pid for fe users per domain.

Actions

Copy link

Updated by Helmut Hummel almost 6 years ago

Project changed from 1716 to TYPO3 Core
Category deleted (~~OW-A02: Broken Authentication~~)

Actions

Copy link

Updated by Helmut Hummel almost 6 years ago

Status changed from New to Needs Feedback

Actions

Copy link

Updated by Sven Burkert almost 6 years ago

I already expected this answer ("use user groups") ;)
But this doesn't solve the problem that a user still can login where he shouldn't (login is successful, but he can't access any restricted page unless he is in the right user group).

Actions

Copy link

Updated by Anja Leichsenring about 2 years ago

Status changed from Needs Feedback to Rejected

after the issue is open for so long and without any interaction, I think the explanation and guidelines given by Helmut are sufficient.

Here the key takeaways:
- don't use pure 'logged in' status as authorization, always rely on user groups
- use different login storage folders only if strictly necessary for organisational purpose

Actions

Copy link