Project

General

Profile

Actions
Copy link

Bug #95728

closed

Backend user login domain restriction not working properly

Added by Andreas Rainer over 2 years ago. Updated over 2 years ago.

Status:
Rejected
Priority:
Should have
Assignee:
-
Category:
Backend User Interface
Target version:
next-patchlevel
Start date:
2021-10-22
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
10
PHP Version:
Tags:
be backend login domain security problem
Complexity:
Is Regression:
Sprint Focus:

Description

When creating a BE user you can use the options tab and restrict the user login to a certain domain, say www.example-url.com.
The user then can login here: www.example-url.com/typo3

If the server is accessable via another domain, too, say www.other-url.com, the user can also call www.other-url.com/typo3 and login there. This should not be allowed.

Moreover when the user is logged in, he can see the BE but not the page tree or other elements.

The following error mesage (DE) is displayed:

"Seitenbaumfehler

Unerwartete Antwort vom Server erhalten. Bitte überprüfen Sie die Protokolle für mehr Details."

This is especially a problem for multi site systems because a lot of domains point to the same server. A user can guess other domains and try to login. And this my result in a security problem also.

Maybe one should deny the login via another domain than specified (here: www.example-url.com) completely?

Files

typo3-login-error.png (30.1 KB) typo3-login-error.png Andreas Rainer, 2021-10-22 07:40
Actions
Copy link
 #1

Updated by Georg Ringer over 2 years ago

  • Status changed from New to Rejected

this feature has been removed in 11.0, read https://docs.typo3.org/c/typo3/cms-core/master/en-us/Changelog/11.0/Breaking-91782-LockToDomain.html for more details. there are no plans for improving the situation in 10 LTS.

please use the restriction via storage pages as suggested.

if you really think it is a security issue, please contact the security team at

Actions
Copy link
 #2

Updated by Andreas Rainer over 2 years ago

Georg Ringer wrote in #note-1:

this feature has been removed in 11.0, read https://docs.typo3.org/c/typo3/cms-core/master/en-us/Changelog/11.0/Breaking-91782-LockToDomain.html for more details. there are no plans for improving the situation in 10 LTS.

please use the restriction via storage pages as suggested.

if you really think it is a security issue, please contact the security team at

Thanks Georg, for your reply!

I understand what you are saying but I think it's a pitty, that this feature is removed. For Frontend Users Storage Pages may help but what about Backend Users? Customer1 can always login via domain of Custumer2 because

-www.customer1.de/typo3
-www.customer2.de/typo3

are the same?

Kind regards

Andreas

Actions
Copy link

Also available in: Atom PDF