Bug #24137
closed
EM stores credentials in BE_USER->uc
0%
Description
that is a bad situation, i can read my password in configuration module, see attached screenshot.
Suggestion:
Use a fe_user for the credentials.
(issue imported from #M16482)
Files
Updated by Steffen Gebert almost 14 years ago
I don't understand, how a fe_user should help.
Password could be stored encrypted - but with which key? It would prevent to read it directly, but if sb. has enough access, it can, of ourse, be decrypted.
Other possibility would be to not use the t3o credentials, but allow to use kind of API keys and enter it in the installation. This key then could allow to only handle extension uploads or keys, but not logins for t3o.
Updated by 
Updated by Christian Kuhn about 13 years ago
- TYPO3 Version changed from 4.5 to 4.7
This is not a direct security problem.
We discussed this with the security team and came to the following conclusion:
It would be best, if we do not store the password at all. To achive that, we should remove the check for saved user password to display the "TER upload" tab in new em. We should then remove the 'save username + password' functionality from settings tab. Furthermore, we should add an update wizard that cycles through all be_users and removes the credentials.
This could be done for 4.7.
Updated by Gerrit Code Review over 12 years ago
- Status changed from New to Under Review
Patch set 1 for branch master_new has been pushed to the review server.
It is available at http://review.typo3.org/13325
Updated by Mario Rimann over 12 years ago
The pushed change contains the upgrade wizard. I gave up with the Extension Manager changes as I don't get it right now.
Updated by Helmut Hummel over 12 years ago
- Project changed from 1716 to TYPO3 Core
This low priority issue can be handled publicly.
Solution: Introduce a new report, that checks if the password has been saved in uc, for master: additionally introduce an upgrade wizard that removes the password from all users if there are any
Updated by Gerrit Code Review over 12 years ago
Patch set 2 for branch master_new has been pushed to the review server.
It is available at http://review.typo3.org/13325
Updated by Gerrit Code Review over 12 years ago
Patch set 3 for branch master_new has been pushed to the review server.
It is available at http://review.typo3.org/13325
Updated by Alexander Opitz over 11 years ago
- Status changed from Under Review to New
The gerrit code review messages are false. So set back to new.
Updated by Gerrit Code Review almost 11 years ago
- Status changed from New to Under Review
Patch set 1 for branch TYPO3_4-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/25689
Updated by Wouter Wolters over 10 years ago
- Status changed from Under Review to Closed
- Is Regression set to No
Helmut Hummel Nov 26 13:49
Patch Set 1:
If someone likes to pick this up, great.
The security team will not push this to be fixed any more and since it is not an issue any more with EM starting from 6.0 I'm fine to just abandon this.