Bug #95728
closedBackend user login domain restriction not working properly
0%
Description
When creating a BE user you can use the options tab and restrict the user login to a certain domain, say www.example-url.com.
The user then can login here: www.example-url.com/typo3
If the server is accessable via another domain, too, say www.other-url.com, the user can also call www.other-url.com/typo3 and login there. This should not be allowed.
Moreover when the user is logged in, he can see the BE but not the page tree or other elements.
The following error mesage (DE) is displayed:
"Seitenbaumfehler
Unerwartete Antwort vom Server erhalten. Bitte überprüfen Sie die Protokolle für mehr Details."
This is especially a problem for multi site systems because a lot of domains point to the same server. A user can guess other domains and try to login. And this my result in a security problem also.
Maybe one should deny the login via another domain than specified (here: www.example-url.com) completely?
Files
Updated by Georg Ringer over 2 years ago
- Status changed from New to Rejected
this feature has been removed in 11.0, read https://docs.typo3.org/c/typo3/cms-core/master/en-us/Changelog/11.0/Breaking-91782-LockToDomain.html for more details. there are no plans for improving the situation in 10 LTS.
please use the restriction via storage pages as suggested.
if you really think it is a security issue, please contact the security team at security@typo3.org
Updated by Andreas Rainer over 2 years ago
Georg Ringer wrote in #note-1:
this feature has been removed in 11.0, read https://docs.typo3.org/c/typo3/cms-core/master/en-us/Changelog/11.0/Breaking-91782-LockToDomain.html for more details. there are no plans for improving the situation in 10 LTS.
please use the restriction via storage pages as suggested.
if you really think it is a security issue, please contact the security team at security@typo3.org
Thanks Georg, for your reply!
I understand what you are saying but I think it's a pitty, that this feature is removed. For Frontend Users Storage Pages may help but what about Backend Users? Customer1 can always login via domain of Custumer2 because
-www.customer1.de/typo3
-www.customer2.de/typo3
are the same?
Kind regards
Andreas