Bug #36480
closed
Do not make BE usernames available to the public
0%
Description
After a user has logged in in the backend, typo3 creates a locallang file with the username.
Such file is created for each backend user. Each file contains the username of the backend user. This is a potential security hole, because you can filter out these usernames.
The username is added at line 425 of the backend.php.
Example:
"refresh_login_title":"Refresh Login to TYPO3 (User: admin)"
Is it possible to change this in general?
Updated by Chris topher about 12 years ago
- Subject changed from Vulnerability in the backend.php to Do not make BE usernames available to the public
Updated by Helmut Hummel about 12 years ago
- Project changed from TYPO3 Core to 1716
Moving to core/security to check if this could be a problem
Updated by Helmut Hummel about 12 years ago
- Project changed from 1716 to TYPO3 Core
Move back to core project
Updated by Helmut Hummel about 12 years ago
- Status changed from New to Needs Feedback
This is not nice indeed not nice. However the filename of these files contain a sha1 hash. Without knowing the filename, you have no access to this file (if directory listing is disabled, which is recommended anyway).
Can you elaborate how you can easily guess this hash without knowing the actual username?
Updated by Timo about 12 years ago
The problem is solved. The administrator has forgotten to disable the directory listing. Thanks for your help.
Updated by Alexander Opitz almost 11 years ago
- Status changed from Needs Feedback to Closed