Project

General

Profile

Actions

Bug #73797

closed

Security bug: You can really change the user (not just SU) in TYPO3 Backend

Added by Markus Hölzle over 8 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
-
Target version:
-
Start date:
2016-03-01
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
7
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

Hi there,

I found a mysterious behaviour in the TYPO3 backend.

Way to reproduce the error:
  1. TYPO3 Login as admin "a1" (your account)
  2. Switch user (su) to a second admin "a2"
  3. Switch user (su as "a2") to a third user "a3"
  4. Leave the SU mode from "a3" back to "a2"

No you are "a2"! You are not in the su mode anymore.
So you can not switch back to "a1", which is your account.

Possible solution:
Maybe the SU buttons should be disabled if you are already in the su mode.

Actions #1

Updated by Gerrit Code Review over 8 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/46981

Actions #2

Updated by Gerrit Code Review over 8 years ago

Patch set 1 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/46983

Actions #3

Updated by Markus Hölzle over 8 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #4

Updated by Benni Mack about 6 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF