Bug #16107
closed
Security breach --> possibility to hack system
Added by Andreas Balzer over 18 years ago.
Updated about 16 years ago.
Category:
Backend User Interface
Description
If a user A is logged in as an admin user and a user B is logging in on an other username that is an admin, and user B is removing the admin rights of user A, user A can still act as an admin as long as he does not logout.
This should changed immediatly, so that every time a BE user loads a module or does anything critical (e.g. upload files) it should be checked, whether the user has the rights to do so..
this should be done immediatly, as it's a possible way of hacking TYPO3 sites.
(issue imported from #M3385)
I can't reproduce this.
If I do what you described in the bugreport I immediately get "you don't have access to this module" for the user account where the admin rights have been removed.
Actually exactly what you suggest in your report exits since TYPO3 exists - everytime a user does anything in the BE it is checked if he has the rights to do this.
you can not reproduce this thing if you do it from one client pc.. you need at last two. An other problem is, that two persons can be logged in from two different locations under the same username..
Let's not overestimate the importance of this. First of all, even if it works, this is not a remote exploit, so I would be wary of defining this as a "way of hacking sites".
Second, I can't confirm this working either.
Andreas,
you can be shure that I tested it from two different clients - really, believe me ;-)
And about your other point: if two persons know the same user/password combination it's definetively not a problem of TYPO3.....
Generally you have to realize that if you give an admin login to anyone you give him
1. full access to the system
2. the database password
3. the possibility to change the install tool password
2. and 3. are easily possible with tools like "quixplorer" or any included php file in typoScript. But that's no TYPO3 Problem too. An Admin has to be trustworthy per definition.
greets
rupert
well.. but i mean it's possible to gain admin rights for a normal BE user.. (i think you know how..)
i'm currently testing how that thing with the usernames worked..
but i mean it's possible to gain admin rights for a normal BE user
No. It means that user, who was admin, remain admin until he logs out. But it does not mean that non-admin user can become admin.
Also available in: Atom
PDF