Bug #22179
closed
Privilege escalation in sys_actions (DB mount, usergroups)
0%
Description
---------------------------- (1) ------------------------------------
Arbitrary database mountpoints can be added (to a backend user account
created by sys_action) via modifying HTTP POST parameters
[REMOVED]
---------------------------- (2) ------------------------------------
Membership to arbitrary backend groups can be added (to a backend user
account created by sys_action) via modifying HTTP POST parameter
Reason: It seems that function fixUserGroup() in class.tx_sysaction.php
does not work properly.
both reports by Henning Pingel
Premises
---------------------------------------------------------------------
a) SYSEXT:Taskcenter is enabled
b) SYSEXT:sys_action is enabled
c) A "action" record for "be_user_creation" must exist and be enabled. d)
A non-admin backend user must legally be allowed to use this "action"
record to create new backend users.
d) This non-admin backend user must be logged in to the TYPO3 backend and
can exploit the issues via the Taskcenter
(issue imported from #M13650)
Files
Updated by Susanne Moog over 13 years ago
+1 by reading and testing for 4.2. & 4.3
Updated by Ernesto Baschny over 13 years ago
+1 by reading and testing 4.2 and 4.3.
New patches to fix a bug when assigning db_mountpoints (which was broken in the original patch). See comments in the core-security list.
Updated by Helmut Hummel over 13 years ago
Exploit information:
Arbitrary database mountpoints can be added (to a backend user account
created by sys_action) via modifying HTTP POST parameters
[REMOVED]