Bug #67589
closed
Invalidate Install Tool session when users logout from backend
0%
Description
When a backend user logs in to the backend (BE) of TYPO3 CMS, he/she can access the Install Tool via module SYSTEM -> Install. The Install Tool is "embedded" in the BE (so unexperienced users believe they are working in the BE).
The problem is if the user ends his BE session by clicking "Logout" in the BE, this terminates the session and the login form re-appears. At this point, the user is logged-out from the BE, but not from the Install Tool. Unexperienced users are not aware of that (the fact that they logged-out from the BE gives them the impression, no edit/admin functions can be accessed anymore).
Prove of concept
Login at the BE, go to SYSTEM -> Install (Install Tool appears).
Logout from the BE by clicking the "Logout" button (BE login form appears).
Access the Install Tool by entering the URL: http://www.example.com/typo3/install
Install Tool appears without further authentication.
Possible exploit scenario
BE user works in BE and accesses the Install Tool. He/she logs out and leaves his/her computer unattended, believing the website can not accessed anymore (due to the logout-fact). Someone else can use the workstation, enter the URL of the Install Tool and access the system without further authentication.
Suggested solution
Invalidate the Install Tool session when user logs-out from the backend (maybe even delete file typo3conf/ENABLE_INSTALL_TOOL if it exists).
Updated by Andreas Kienast almost 9 years ago
- Status changed from New to Rejected
Thank you for your idea, but I fear it's not that easy to fix this issue. Please let me explain:
An admin has to actively login to the Install Tool by hisself, so we expect from him that he also logs out again, we assume he knows what he does.
Additionally, there are some technical issues:
Install Tool sessions are independent from backend user sessions and not connected to each other, so we can't say that Install Tool session "A" belongs to backend user session "Y".
Deleting typo3conf/ENABLE_INSTALL_TOOL is also not an option here, as it's possible that multiple admins are logged in, where one of them is working in the Install Tool. If admin A logs out from the backend, admin B will be kicked out of the Install Tool. We could check here if another admin is logged in, but there's a third side-case: we can't properly detect if a backend session times out (e.g. because the user closed his browser already) so the file will remain.
Updated by Michael Schams almost 9 years ago
Thanks for your feedback. I understand the challenge. However the chances of kicking out another admin is very low. In addition, if this would happen, I would classify this as "awkward" and not a major issue. Security should always be the higher priority!
What about opening the Install Tool in a new window rather than embed it in the content area of the TYPO3 BE? This still does not address my security concerns, but it clearly shows that the Install is a separate tool (where you have to logout) and it is more likely that admins logout properly and end the session.
PS: I also requested a comment from the TYPO3 Security Team on this issue.
Updated by Helmut Hummel almost 9 years ago
The fix here would be to make the install tool a completely independent package, which can be just removed on live systems.
For this to work, we must move maintenance tasks (cache clearing, configuration handling, etc.) out of it and include it into the backend.
This is indeed planned, but will not happen for 7LTS
The issue is btw. already greatly mitigated by the fact, that the install tool session is invalidated after 1 hour.
You can right now already further mitigate it, by having an extension which e.g. hooks into the logout hook and deletes any install tool enable file (with all the implications written above).