[opencms-dev] Security bug (or design flaw) with Account Manager role

Sebastian Himberger sebastian.himberger at gmx.de
Sun Feb 24 12:44:16 CET 2008

Previous message (by thread): [opencms-dev] Security bug (or design flaw) with Account Manager role
Next message (by thread): [opencms-dev] Security bug (or design flaw) with Account Manager role
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

| Maybe an account manager should not be able to change any data from an
admin
| user at all?

Imho this would be the best and easiest solution to prevent this problem.

I'll second Arash and Fabian.

best regards,
Sebastian

Arash Kaffamanesh schrieb:
| Hi Alex,
|
|>> Maybe an account manager should not be able to change any data from
an admin
| user at all?
|
| Yes they should not be able to change Admin's password, if the admin
forgets his passsword, he has to ask the database administrator to reset
his pasword to "admin" like this:
|
| UPDATE CMS_USERS SET USER_PASSWORD='ISMvKXpXpadDiUoOSoAfww==' WHERE
USER_NAME='Admin';
|
| In most cases Admin's have access to opencms database as db root user
| and they can rest their own password, as I have to do occaisonally ;o))
|
| Kind Regards,
| Arash
|
|
|
| Alexander Kandzior schrieb:
|>> this issue has been resolved in CVS Head
|>>
|> Actually this was a different issue.
|>
|> The issue described by John exists and can be describes like this:
The user
|> manager may change the password of an Admin, then using the Admin account
|> with the password now known to him to log in as the Admin, thereby
|> "promoting" himself.
|>
|> However, an account manager doing this will lock out the admin and
thereby
|> making it quite obvious that something "strange" has happend. So this
is at
|> least an operation that leaves quite a big trail. One could argue
that even
|> an admin may forget his password, so it could be useful that an account
|> manager can reset this.
|>
|> So the 2 options are:
|>
|> 1) account managers must never change the password of an admin
|> 2) account managers should be able to change the password of an admin
|>
|> If 1) is the way to go ahead, what about the other data of an admin
account?
|> Maybe an account manager should not be able to change any data from
an admin
|> user at all?
|>
|> I would like some feedback on this issue. Please let me know what you
think.
|>
|> Kind Regards,
|> Alex.
|>
|> -------------------
|> Alexander Kandzior
|>
|> Alkacon Software GmbH  - The OpenCms Experts
|> http://www.alkacon.com - http://www.opencms.org
|>
|> Visit us on CeBIT expo in Hannover, Germany
|> March 4 to March 9, 2008 - Hall 5 Stand F59/3
|>
|>
|>> -----Original Message-----
|>> From: opencms-dev-bounces at opencms.org
|>> [mailto:opencms-dev-bounces at opencms.org] On Behalf Of Arash
|>> Kaffamanesh
|>> Sent: Saturday, February 23, 2008 9:25 AM
|>> To: The OpenCms mailing list
|>> Subject: Re: [opencms-dev] Security bug (or design flaw) with
|>> Account Manager role
|>>
|>> hi,
|>>
|>> this issue has been resolved in CVS Head as Michael Moossen
|>> wrote this
|>> week and will be available in OpenCms 7.0.4 in short.
|>> You have to upgrade to Head or wait for OpenCms 7.0.4.
|>>
|>> Kind Regards,
|>> Arash
|>>
|>>
|>> John Weible schrieb:
|>>
|>>> As our OpenCms installation grows, we're now needing to
|>>>
|>> delegate more
|>>
|>>> things to a broader set of staff.  One of those things is
|>>>
|>> we need to
|>>
|>>> enable some folks to do basic user management (specifically
|>>> adding/removing users from groups).
|>>>
|>>> We're currently on 7.0.1.  So I tried granting the "Account
|>>>
|>> Manager"
|>>
|>>> role to a couple of our NON-ADMINISTRATOR users.  This, as
|>>>
|>> expected,
|>>
|>>> then allows them to add and remove groups for users.  The
|>>>
|>> system also
|>>
|>>> correctly figures out that since they are not themselves "Root
|>>> Administrators", they are disallowed from promoting accounts to be
|>>> Administrators.
|>>>
|>>> The fatal flaw is that the system does NOT prevent them
|>>>
|>> from changing
|>>
|>>> any Administrator's account password.
|>>>
|>>> Is there some different way to configure the system to
|>>>
|>> delegate this
|>>
|>>> ability without introducing such a compromise?
|>>>
|>>>
|>>>
|>> _______________________________________________
|>> This mail is sent to you from the opencms-dev mailing list
|>> To change your list options, or to unsubscribe from the list,
|>> please visit
|>> http://lists.opencms.org/mailman/listinfo/opencms-dev
|>>
|>>
|>>
|>
|> _______________________________________________
|> This mail is sent to you from the opencms-dev mailing list
|> To change your list options, or to unsubscribe from the list, please
visit
|> http://lists.opencms.org/mailman/listinfo/opencms-dev
|>
|>
|
|
|
|
| _______________________________________________
| This mail is sent to you from the opencms-dev mailing list
| To change your list options, or to unsubscribe from the list, please visit
| http://lists.opencms.org/mailman/listinfo/opencms-dev

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHwViOVKBy6qoVEvwRAnAmAKClacLEVqnJBLB2RxVXLYFcJtDqMwCgjTda
p+FN80aNHiARtQp3Cpz/91s=
=aL+L
-----END PGP SIGNATURE-----

Previous message (by thread): [opencms-dev] Security bug (or design flaw) with Account Manager role
Next message (by thread): [opencms-dev] Security bug (or design flaw) with Account Manager role
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the opencms-dev mailing list