Bug #22179
closedPrivilege escalation in sys_actions (DB mount, usergroups)
0%
Description
---------------------------- (1) ------------------------------------
Arbitrary database mountpoints can be added (to a backend user account
created by sys_action) via modifying HTTP POST parameters
[REMOVED]
---------------------------- (2) ------------------------------------
Membership to arbitrary backend groups can be added (to a backend user
account created by sys_action) via modifying HTTP POST parameter
Reason: It seems that function fixUserGroup() in class.tx_sysaction.php
does not work properly.
both reports by Henning Pingel
Premises
---------------------------------------------------------------------
a) SYSEXT:Taskcenter is enabled
b) SYSEXT:sys_action is enabled
c) A "action" record for "be_user_creation" must exist and be enabled. d)
A non-admin backend user must legally be allowed to use this "action"
record to create new backend users.
d) This non-admin backend user must be logged in to the TYPO3 backend and
can exploit the issues via the Taskcenter
(issue imported from #M13650)
Files