Project

General

Profile

Actions
Copy link

Task #75104

closed

lockToDomain feature can be (easily) circumvented

Added by Helmut Hummel over 8 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2016-03-14
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
8
PHP Version:
Tags:
Complexity:
easy
Sprint Focus:

Description

lockToDomain is only ever checked against HTTP_HOST which is a request parameter which can be faked.

By doing so, it is possible to forge a request with a fake Host header value.

Of course the TYPO3 user must still be valid and active.

Actions
Copy link
 #1

Updated by Benni Mack over 8 years ago

Scenario:

- System is configured (with trusted hosts) for frontend1.mydomain.com and frontend2.mydomain.com
- User Mallory has two groups (one with lockToDomain for frontend1 and one for frontend2)
- User Mallory logs in on frontend1.mydomain.com (success)
- User Mallory fakes his HTTP_HOST header to frontend2.mydomain.com and gets access rights for frontend1.mydomain.com

I don't know how to fix this.

Actions
Copy link
 #2

Updated by Christian Kuhn over 8 years ago

This is not fixable: The feature relies on HTTP_HOST and there is not way to trust this, so lockToDomain is more an "organizational" feature and must not be interpreted as a security measure.

Actions
Copy link
 #3

Updated by Christian Kuhn over 8 years ago

This ticket is now public, ideas: Add a hint "this is not a sec feature" to csh of those 4 fields (be_groups, be_users, fe_groups, fe_users), and add an according hint to the "security guide"

Actions
Copy link
 #4

Updated by Christian Kuhn over 8 years ago

  • Tracker changed from Bug to Task
  • Project changed from 1716 to TYPO3 Core
  • TYPO3 Version changed from 4.5 to 8
  • Complexity set to easy
Actions
Copy link
 #5

Updated by Gerrit Code Review about 8 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/49751

Actions
Copy link
 #6

Updated by Gerrit Code Review about 8 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/49751

Actions
Copy link
 #7

Updated by Gerrit Code Review about 8 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/49751

Actions
Copy link
 #8

Updated by Gerrit Code Review almost 8 years ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/49751

Actions
Copy link
 #9

Updated by Gerrit Code Review almost 8 years ago

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/49751

Actions
Copy link
 #10

Updated by Tomita Militaru almost 8 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions
Copy link
 #11

Updated by Benni Mack about 6 years ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF