TYPO3 Core

I can't reproduce this.
If I do what you described in the bugreport I immediately get "you don't have access to this module" for the user account where the admin rights have been removed.
Actually exactly what you suggest in your report exits since TYPO3 exists - everytime a user does anything in the BE it is checked if he has the rights to do this.

you can not reproduce this thing if you do it from one client pc.. you need at last two. An other problem is, that two persons can be logged in from two different locations under the same username..

Let's not overestimate the importance of this. First of all, even if it works, this is not a remote exploit, so I would be wary of defining this as a "way of hacking sites".

Second, I can't confirm this working either.

Andreas,

you can be shure that I tested it from two different clients - really, believe me ;-)

And about your other point: if two persons know the same user/password combination it's definetively not a problem of TYPO3.....
Generally you have to realize that if you give an admin login to anyone you give him
1. full access to the system
2. the database password
3. the possibility to change the install tool password

2. and 3. are easily possible with tools like "quixplorer" or any included php file in typoScript. But that's no TYPO3 Problem too. An Admin has to be trustworthy per definition.

greets
rupert

well.. but i mean it's possible to gain admin rights for a normal BE user.. (i think you know how..)

i'm currently testing how that thing with the usernames worked..

but i mean it's possible to gain admin rights for a normal BE user

No. It means that user, who was admin, remain admin until he logs out. But it does not mean that non-admin user can become admin.

not a bug