Project

General

Profile

Actions

Bug #16107

closed

Security breach --> possibility to hack system

Added by Andreas Balzer over 18 years ago. Updated about 16 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
Backend User Interface
Target version:
-
Start date:
2006-04-30
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.0
PHP Version:
4
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

If a user A is logged in as an admin user and a user B is logging in on an other username that is an admin, and user B is removing the admin rights of user A, user A can still act as an admin as long as he does not logout.

This should changed immediatly, so that every time a BE user loads a module or does anything critical (e.g. upload files) it should be checked, whether the user has the rights to do so..

this should be done immediatly, as it's a possible way of hacking TYPO3 sites.
(issue imported from #M3385)

Actions #1

Updated by Rupert Germann over 18 years ago

I can't reproduce this.
If I do what you described in the bugreport I immediately get "you don't have access to this module" for the user account where the admin rights have been removed.
Actually exactly what you suggest in your report exits since TYPO3 exists - everytime a user does anything in the BE it is checked if he has the rights to do this.

Actions #2

Updated by Andreas Balzer over 18 years ago

you can not reproduce this thing if you do it from one client pc.. you need at last two. An other problem is, that two persons can be logged in from two different locations under the same username..

Actions #3

Updated by Dimitri Tarassenko over 18 years ago

Let's not overestimate the importance of this. First of all, even if it works, this is not a remote exploit, so I would be wary of defining this as a "way of hacking sites".

Second, I can't confirm this working either.

Actions #4

Updated by Rupert Germann over 18 years ago

Andreas,

you can be shure that I tested it from two different clients - really, believe me ;-)

And about your other point: if two persons know the same user/password combination it's definetively not a problem of TYPO3.....
Generally you have to realize that if you give an admin login to anyone you give him
1. full access to the system
2. the database password
3. the possibility to change the install tool password

2. and 3. are easily possible with tools like "quixplorer" or any included php file in typoScript. But that's no TYPO3 Problem too. An Admin has to be trustworthy per definition.

greets
rupert

Actions #5

Updated by Andreas Balzer over 18 years ago

well.. but i mean it's possible to gain admin rights for a normal BE user.. (i think you know how..)

i'm currently testing how that thing with the usernames worked..

Actions #6

Updated by Dmitry Dulepov over 18 years ago

but i mean it's possible to gain admin rights for a normal BE user

No. It means that user, who was admin, remain admin until he logs out. But it does not mean that non-admin user can become admin.

Actions #7

Updated by Ingo Renner about 16 years ago

not a bug

Actions

Also available in: Atom PDF