Bug #106743
closed
Epic #106772: Streamline May 2025 security releases (collection issue)
Creating new BE users now requires additional authentication
100%
Description
The change introduced with [SECURITY] Require step-up authentication for password change and https://forge.typo3.org/issues/103252 requires authentication when changing password.
IMHO, this is unnecessary when creating new users and can be quite a nuisance for setting up new users.
Side note:
(Additionally, for most users we don't even need the password because we use external login server (SSO). We also have introduced a field where you can select the login type. It would probably make sense to remove the password field, if native login is not supported, however I would prefer if a mechanism for this was introduced in core, since extensions implementing this would probably result in conflicts if you want to provide several.)
Versions¶
- change was applied to >= v12
- noticed change in v12
Files
Updated by Oliver Hader 28 days ago
https://review.typo3.org/c/Packages/TYPO3.CMS/+/89491 would introduce a new event that allows to by-pass the step-up authentication. Would that be a feasible alternative for your use-case?
Updated by Sybille Peters 28 days ago
Oliver:
Would that be a feasible alternative for your use-case?
Yes, theoretically yes (did not test the patch yet). Thank you for responding.
Updated by Gerrit Code Review 28 days ago
- Status changed from New to Under Review
Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/89491
Updated by Gerrit Code Review 25 days ago
Patch set 4 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/89491
Updated by Gerrit Code Review 24 days ago
Patch set 5 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/89491
Updated by Oliver Hader 24 days ago
· Edited
I wanted to leave feedback on the assumption in the original issue description:
Sybille Peters wrote:
IMHO, this is unnecessary when creating new users and can be quite a nuisance for setting up new users.
The basic concepts of the underlying problem are referenced in https://cwe.mitre.org/data/definitions/620.html
Allowing to create new users without verification would allow an attacker to create a new admin user which can be used further.
This also applies when creating new non-admin users, since the it would allow to grant privileges generously.
Updated by Gerrit Code Review 24 days ago
Patch set 6 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/89491
Updated by Gerrit Code Review 24 days ago
Patch set 7 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/89491
Updated by Gerrit Code Review 24 days ago
Patch set 8 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/89491
Updated by Gerrit Code Review 23 days ago
Patch set 9 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/89491
Updated by Gerrit Code Review 23 days ago
Patch set 1 for branch 13.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/89563
Updated by Gerrit Code Review 23 days ago
Patch set 2 for branch 13.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/89563
Updated by Gerrit Code Review 23 days ago
Patch set 1 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/89564
Updated by Oliver Hader 23 days ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 76d48d96e646111ea6681abcc19225410edca96b.
Updated by Garvin Hicking 21 days ago
- Related to Bug #106795: SudoModeVerifyEvent Attribute "SensitiveParameter" cannot target property added
Updated by Sybille Peters 17 days ago
Feedback after patch: I debugged the new version and it looks like in DataHandlerAuthenticationContext::processDatamap_postProcessFieldArray that it would be able to detect that a new BE user is being created (dataHandler->datamap->be_users[NEW....) if BE user is created via normal process. In this case, I don't really see why it should be necessary to query the sudo login if a new user is being created and a new password assigned.
I understand we can now use the events but it makes adding code necessary.
(sorry, I should have commented this before, but I am currently still a bit disabled after an accident).