Feature #23050
closed
Install tool password can be overwritten by an extensions' ext_localcconf.php
Added by Helmut Hummel over 14 years ago.
Updated almost 10 years ago.
Description
Quote from Bernhard Kraft:
===================================================
I think this should be seen as a security exploit. As a normal admin
should not be able to enter the install tool.
If you deactivate installing of extensions via the install tool
(AllowLocalInstall) so an admin can not install an extension like
quixplorer. And additionally set the "noEdit" flag, then this issue can
of course get avoided.
But I think operators of a site should be aware of this issue. What do
you think?
OTRS:
2010021810000014
(issue imported from #M14935)
Files
There are actually other parameters that could be overridden by an extension and which might cause some misery to a site, so it's nearly impossible to check for every situation without actually scanning every extension's ext_localconf.php file which would be a huge overhead (although it could probably also be done by a scheduler task).
To me it seems more like a problem of educating administrators. It could be something that goes in the (upcoming ;-) security guide.
Well, I agree: Administrators should know what they install.
However, here is my solution:
Let's do it with the install tool password similar to the DB connection data:
Set it in localconf.php as a variable, and then make a constant out of it, before including all the extensions stuff.
Attached is a first try of my approach.
Seems to me more like a feature than a security issue.
- Description updated (diff)
- Target version deleted (
-1)
I'd say this is not an issue anymore with 6.2 install tool: The install tool does not load ext_localconf / ext_tables for its login screen, so even if the install tool password is overwritten in such files, it will not be taken into account.
- Status changed from Accepted to Closed
agreed. was a not really a big issue anyway
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by