Project

General

Profile

Actions
Copy link

Bug #95728

closed

Backend user login domain restriction not working properly

Added by Andreas Rainer over 2 years ago. Updated over 2 years ago.

Status:
Rejected
Priority:
Should have
Assignee:
-
Category:
Backend User Interface
Target version:
next-patchlevel
Start date:
2021-10-22
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
10
PHP Version:
Tags:
be backend login domain security problem
Complexity:
Is Regression:
Sprint Focus:

Description

When creating a BE user you can use the options tab and restrict the user login to a certain domain, say www.example-url.com.
The user then can login here: www.example-url.com/typo3

If the server is accessable via another domain, too, say www.other-url.com, the user can also call www.other-url.com/typo3 and login there. This should not be allowed.

Moreover when the user is logged in, he can see the BE but not the page tree or other elements.

The following error mesage (DE) is displayed:

"Seitenbaumfehler

Unerwartete Antwort vom Server erhalten. Bitte überprüfen Sie die Protokolle für mehr Details."

This is especially a problem for multi site systems because a lot of domains point to the same server. A user can guess other domains and try to login. And this my result in a security problem also.

Maybe one should deny the login via another domain than specified (here: www.example-url.com) completely?

Files

typo3-login-error.png (30.1 KB) typo3-login-error.png Andreas Rainer, 2021-10-22 07:40
Actions
Copy link

Also available in: Atom PDF