Bug #24137: EM stores credentials in BE_USER->uc - TYPO3 Core - TYPO3 Forge

Custom queries

Accessibility
Easy tasks
Forge Triage
JavaScript issues
JavaScript Issues (w/o Epics/Stories)
My open issues
No feedback within 90 days
Open Bugs
Open issues of 10
Recently modified
Regressions
Stabilization Issues
Usability or UX

Actions

Copy link

Bug #24137

closed

EM stores credentials in BE_USER->uc

Added by Steffen Kamper about 14 years ago. Updated over 10 years ago.

Status:

Closed

Priority:

Should have

Assignee:

Category:

Target version:

Start date:

2010-11-19

Due date:

% Done:

Estimated time:

TYPO3 Version:

4.7

PHP Version:

5.3

Tags:

Complexity:

Is Regression:

Sprint Focus:

Description

that is a bad situation, i can read my password in configuration module, see attached screenshot.

Suggestion:
Use a fe_user for the credentials.

(issue imported from #M16482)

Files

ter_password.png (13.3 KB) ter_password.png

Administrator Admin, 2010-11-19 11:40

History
Notes
Property changes

Actions

Copy link

Updated by Steffen Gebert almost 14 years ago

I don't understand, how a fe_user should help.

Password could be stored encrypted - but with which key? It would prevent to read it directly, but if sb. has enough access, it can, of ourse, be decrypted.

Other possibility would be to not use the t3o credentials, but allow to use kind of API keys and enter it in the installation. This key then could allow to only handle extension uploads or keys, but not logins for t3o.

Actions

Copy link

Updated by Michael Stucki over 13 years ago

Target version deleted (~~1076~~)

Actions

Copy link

Updated by Christian Kuhn about 13 years ago

TYPO3 Version changed from 4.5 to 4.7

This is not a direct security problem.

We discussed this with the security team and came to the following conclusion:
It would be best, if we do not store the password at all. To achive that, we should remove the check for saved user password to display the "TER upload" tab in new em. We should then remove the 'save username + password' functionality from settings tab. Furthermore, we should add an update wizard that cycles through all be_users and removes the credentials.

This could be done for 4.7.

Actions

Copy link

Updated by Gerrit Code Review over 12 years ago

Status changed from New to Under Review

Patch set 1 for branch master_new has been pushed to the review server.
It is available at http://review.typo3.org/13325

Actions

Copy link

Updated by Mario Rimann over 12 years ago

The pushed change contains the upgrade wizard. I gave up with the Extension Manager changes as I don't get it right now.

Actions

Copy link

Updated by Helmut Hummel over 12 years ago

Project changed from 1716 to TYPO3 Core

This low priority issue can be handled publicly.

Solution: Introduce a new report, that checks if the password has been saved in uc, for master: additionally introduce an upgrade wizard that removes the password from all users if there are any

Actions

Copy link

Updated by Gerrit Code Review over 12 years ago

Patch set 2 for branch master_new has been pushed to the review server.
It is available at http://review.typo3.org/13325

Actions

Copy link

Updated by Gerrit Code Review over 12 years ago

Patch set 3 for branch master_new has been pushed to the review server.
It is available at http://review.typo3.org/13325

Actions

Copy link

Updated by Alexander Opitz over 11 years ago

Status changed from Under Review to New

The gerrit code review messages are false. So set back to new.

Actions

Copy link

#10

Updated by Gerrit Code Review almost 11 years ago

Status changed from New to Under Review

Patch set 1 for branch TYPO3_4-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/25689

Actions

Copy link

#11

Updated by Wouter Wolters over 10 years ago

Status changed from Under Review to Closed
Is Regression set to No

Helmut Hummel Nov 26 13:49

Patch Set 1:

If someone likes to pick this up, great.

The security team will not push this to be fixed any more and since it is not an issue any more with EM starting from 6.0 I'm fine to just abandon this.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

TYPO3 Core

Custom queries

Bug #24137

EM stores credentials in BE_USER->uc

Updated by Steffen Gebert almost 14 years ago

Updated by Michael Stucki over 13 years ago

Updated by Christian Kuhn about 13 years ago

Updated by Gerrit Code Review over 12 years ago

Updated by Mario Rimann over 12 years ago

Updated by Helmut Hummel over 12 years ago

Updated by Gerrit Code Review over 12 years ago

Updated by Gerrit Code Review over 12 years ago

Updated by Alexander Opitz over 11 years ago

Updated by Gerrit Code Review almost 11 years ago

Updated by Wouter Wolters over 10 years ago