Project

General

Profile

Actions
Copy link

Feature #23050

closed

Install tool password can be overwritten by an extensions' ext_localcconf.php

Added by Helmut Hummel over 14 years ago. Updated almost 10 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Benni Mack
Category:
-
Target version:
-
Start date:
2010-06-30
Due date:
% Done:

0%

Estimated time:
PHP Version:
5.2
Tags:
Complexity:
Sprint Focus:

Description

Quote from Bernhard Kraft: ===================================================
I think this should be seen as a security exploit. As a normal admin
should not be able to enter the install tool.

If you deactivate installing of extensions via the install tool
(AllowLocalInstall) so an admin can not install an extension like
quixplorer. And additionally set the "noEdit" flag, then this issue can
of course get avoided.

But I think operators of a site should be aware of this issue. What do
you think?

OTRS:

2010021810000014
(issue imported from #M14935)

Files

Download all files
14935_trunk.patch (4.06 KB) 14935_trunk.patch Administrator Admin, 2010-07-17 16:24
14935.patch (3.76 KB) 14935.patch Administrator Admin, 2011-01-04 10:04
Actions
Copy link
 #1

Updated by Francois Suter over 14 years ago

There are actually other parameters that could be overridden by an extension and which might cause some misery to a site, so it's nearly impossible to check for every situation without actually scanning every extension's ext_localconf.php file which would be a huge overhead (although it could probably also be done by a scheduler task).

To me it seems more like a problem of educating administrators. It could be something that goes in the (upcoming ;-) security guide.

Actions
Copy link
 #2

Updated by Benni Mack over 14 years ago

Well, I agree: Administrators should know what they install.

However, here is my solution:

Let's do it with the install tool password similar to the DB connection data:

Set it in localconf.php as a variable, and then make a constant out of it, before including all the extensions stuff.

Actions
Copy link
 #3

Updated by Benni Mack over 14 years ago

Attached is a first try of my approach.

Seems to me more like a feature than a security issue.

Actions
Copy link
 #4

Updated by Christian Kuhn almost 10 years ago

  • Description updated (diff)
  • Target version deleted (-1)

I'd say this is not an issue anymore with 6.2 install tool: The install tool does not load ext_localconf / ext_tables for its login screen, so even if the install tool password is overwritten in such files, it will not be taken into account.

Actions
Copy link
 #5

Updated by Helmut Hummel almost 10 years ago

  • Status changed from Accepted to Closed

agreed. was a not really a big issue anyway

Actions
Copy link

Also available in: Atom PDF