Bug #86249
closedInstall Tool remains accessible, if admin user logs out of TYPO3 BE
100%
Description
In a brand new TYPO3 v9.5.0-dev instance, a BE user with administrator privileges can login, access any function of the Install Tool (e.g. ADMIN TOOLS → Environment → Environment Overview) without explicitly enabling the Install Tool, then logging out from the backend again. At that point, the user can walk away from his/her desk under the assumption that he's fully logged out from the system.
However, this is not the case: by simply entering /typo3/install
, the user (or an "evil colleague") can access the Install Tool without further authentication.
I reported a similar issue in earlier versions of TYPO3, which was rejected on the grounds that "Administrators should know that the Install Tool and the TYPO3 backend are two separate things." However, with TYPO3 v9 this system behavior got even worse from a security perspective. Administrator users can't see/feel that these are two different components anymore. On top of that, they don't even need to explicitly enable the Install Tool when logged-in at the backend ("Do you want to create the ENABLE_INSTALL_TOOL
file?").
Also, I could not find an option to lock the Install Tool anymore.
Therefore, I decided to put this topic back on the table for re-consideration, because I believe this is bad practice/system design from a security perspective :-)
Updated by Riccardo De Contardi about 6 years ago
- Related to Bug #85404: Missing button to lock install tool added
Updated by Riccardo De Contardi about 6 years ago
- Status changed from New to Closed
- Assignee deleted (
Oliver Hader)
Hi Michael, thank you for your report; I close this issue as a duplicate of #85404, please continue the discussion there. I've also added this one there as related to keep track of it.
If you think that this is the wrong decision, please reopen it or ping me and I'll do.
Thank you!
Updated by Gerrit Code Review about 6 years ago
- Status changed from Closed to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/58297
Updated by Gerrit Code Review about 6 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/58297
Updated by Gerrit Code Review about 6 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/58297
Updated by Gerrit Code Review about 6 years ago
Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/58297
Updated by Gerrit Code Review about 6 years ago
Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/58297
Updated by Christian Kuhn about 6 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 2b2ab785020cb8482c0d020b091db136b8b2c93f.