Task #75104
closed
lockToDomain feature can be (easily) circumvented
100%
Description
lockToDomain is only ever checked against HTTP_HOST which is a request parameter which can be faked.
By doing so, it is possible to forge a request with a fake Host header value.
Of course the TYPO3 user must still be valid and active.
Updated by Benni Mack about 8 years ago
Scenario:
- System is configured (with trusted hosts) for frontend1.mydomain.com and frontend2.mydomain.com
- User Mallory has two groups (one with lockToDomain for frontend1 and one for frontend2)
- User Mallory logs in on frontend1.mydomain.com (success)
- User Mallory fakes his HTTP_HOST header to frontend2.mydomain.com and gets access rights for frontend1.mydomain.com
I don't know how to fix this.
Updated by Christian Kuhn almost 8 years ago
This is not fixable: The feature relies on HTTP_HOST and there is not way to trust this, so lockToDomain is more an "organizational" feature and must not be interpreted as a security measure.
Updated by Christian Kuhn almost 8 years ago
This ticket is now public, ideas: Add a hint "this is not a sec feature" to csh of those 4 fields (be_groups, be_users, fe_groups, fe_users), and add an according hint to the "security guide"
Updated by Christian Kuhn almost 8 years ago
- Tracker changed from Bug to Task
- Project changed from 1716 to TYPO3 Core
- TYPO3 Version changed from 4.5 to 8
- Complexity set to easy
Updated by Gerrit Code Review over 7 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/49751
Updated by Gerrit Code Review over 7 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/49751
Updated by Gerrit Code Review over 7 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/49751
Updated by Gerrit Code Review about 7 years ago
Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/49751
Updated by Gerrit Code Review about 7 years ago
Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/49751
Updated by Tomita Militaru about 7 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset c9ca950a3e4965a46e2924f05d8fb158e3ad8d08.