Bug #67589
closedInvalidate Install Tool session when users logout from backend
0%
Description
When a backend user logs in to the backend (BE) of TYPO3 CMS, he/she can access the Install Tool via module SYSTEM -> Install. The Install Tool is "embedded" in the BE (so unexperienced users believe they are working in the BE).
The problem is if the user ends his BE session by clicking "Logout" in the BE, this terminates the session and the login form re-appears. At this point, the user is logged-out from the BE, but not from the Install Tool. Unexperienced users are not aware of that (the fact that they logged-out from the BE gives them the impression, no edit/admin functions can be accessed anymore).
Prove of concept
Login at the BE, go to SYSTEM -> Install (Install Tool appears).
Logout from the BE by clicking the "Logout" button (BE login form appears).
Access the Install Tool by entering the URL: http://www.example.com/typo3/install
Install Tool appears without further authentication.
Possible exploit scenario
BE user works in BE and accesses the Install Tool. He/she logs out and leaves his/her computer unattended, believing the website can not accessed anymore (due to the logout-fact). Someone else can use the workstation, enter the URL of the Install Tool and access the system without further authentication.
Suggested solution
Invalidate the Install Tool session when user logs-out from the backend (maybe even delete file typo3conf/ENABLE_INSTALL_TOOL if it exists).