Task #75104
closed
lockToDomain feature can be (easily) circumvented
Added by Helmut Hummel about 8 years ago.
Updated over 5 years ago.
Description
lockToDomain is only ever checked against HTTP_HOST which is a request parameter which can be faked.
By doing so, it is possible to forge a request with a fake Host header value.
Of course the TYPO3 user must still be valid and active.
Scenario:
- System is configured (with trusted hosts) for frontend1.mydomain.com and frontend2.mydomain.com
- User Mallory has two groups (one with lockToDomain for frontend1 and one for frontend2)
- User Mallory logs in on frontend1.mydomain.com (success)
- User Mallory fakes his HTTP_HOST header to frontend2.mydomain.com and gets access rights for frontend1.mydomain.com
I don't know how to fix this.
This is not fixable: The feature relies on HTTP_HOST and there is not way to trust this, so lockToDomain is more an "organizational" feature and must not be interpreted as a security measure.
This ticket is now public, ideas: Add a hint "this is not a sec feature" to csh of those 4 fields (be_groups, be_users, fe_groups, fe_users), and add an according hint to the "security guide"
- Tracker changed from Bug to Task
- Project changed from 1716 to TYPO3 Core
- TYPO3 Version changed from 4.5 to 8
- Complexity set to easy
- Status changed from New to Under Review
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
- Status changed from Resolved to Closed
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by