Project

General

Profile

Actions

Bug #22179

closed

Privilege escalation in sys_actions (DB mount, usergroups)

Added by Georg Ringer over 14 years ago. Updated about 14 years ago.

Status:
Closed
Priority:
Must have
Assignee:
Category:
-
Target version:
-
Start date:
2010-02-24
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.3
PHP Version:
5.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

---------------------------- (1) ------------------------------------

Arbitrary database mountpoints can be added (to a backend user account
created by sys_action) via modifying HTTP POST parameters

[REMOVED]

---------------------------- (2) ------------------------------------

Membership to arbitrary backend groups can be added (to a backend user
account created by sys_action) via modifying HTTP POST parameter

Reason: It seems that function fixUserGroup() in class.tx_sysaction.php
does not work properly.

both reports by Henning Pingel

Premises
---------------------------------------------------------------------

a) SYSEXT:Taskcenter is enabled
b) SYSEXT:sys_action is enabled
c) A "action" record for "be_user_creation" must exist and be enabled. d)
A non-admin backend user must legally be allowed to use this "action"
record to create new backend users.
d) This non-admin backend user must be logged in to the TYPO3 backend and
can exploit the issues via the Taskcenter
(issue imported from #M13650)


Files

Actions

Also available in: Atom PDF