[opencms-dev] Security bug (or design flaw) with Account Manager role

[Michael Moossen]

Hi, everybody!

this bug has been fixed and just committed to the cvs HEAD.

the implemented bugfix prevents account managers to change anything of a 
administrator account (ie. edit, change pwd, edit add info, edit groups, 
delete)

Kind regards,
Michael

-------------------

Alkacon Software GmbH  - The OpenCms Experts
http://www.alkacon.com - http://www.opencms.org

Visit us on CeBIT expo in Hannover, Germany
March 4 to March 9, 2008 - Hall 5 Stand F59/3

Sebastian Himberger wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> | Maybe an account manager should not be able to change any data from an
> admin
> | user at all?
> 
> Imho this would be the best and easiest solution to prevent this problem.
> 
> I'll second Arash and Fabian.
> 
> best regards,
> Sebastian
> 
> Arash Kaffamanesh schrieb:
> | Hi Alex,
> |
> |>> Maybe an account manager should not be able to change any data from
> an admin
> | user at all?
> |
> | Yes they should not be able to change Admin's password, if the admin
> forgets his passsword, he has to ask the database administrator to reset
> his pasword to "admin" like this:
> |
> | UPDATE CMS_USERS SET USER_PASSWORD='ISMvKXpXpadDiUoOSoAfww==' WHERE
> USER_NAME='Admin';
> |
> | In most cases Admin's have access to opencms database as db root user
> | and they can rest their own password, as I have to do occaisonally ;o))
> |
> | Kind Regards,
> | Arash
> |
> |
> |
> | Alexander Kandzior schrieb:
> |>> this issue has been resolved in CVS Head
> |>>
> |> Actually this was a different issue.
> |>
> |> The issue described by John exists and can be describes like this:
> The user
> |> manager may change the password of an Admin, then using the Admin account
> |> with the password now known to him to log in as the Admin, thereby
> |> "promoting" himself.
> |>
> |> However, an account manager doing this will lock out the admin and
> thereby
> |> making it quite obvious that something "strange" has happend. So this
> is at
> |> least an operation that leaves quite a big trail. One could argue
> that even
> |> an admin may forget his password, so it could be useful that an account
> |> manager can reset this.
> |>
> |> So the 2 options are:
> |>
> |> 1) account managers must never change the password of an admin
> |> 2) account managers should be able to change the password of an admin
> |>
> |> If 1) is the way to go ahead, what about the other data of an admin
> account?
> |> Maybe an account manager should not be able to change any data from
> an admin
> |> user at all?
> |>
> |> I would like some feedback on this issue. Please let me know what you
> think.
> |>
> |> Kind Regards,
> |> Alex.
> |>
> |> -------------------
> |> Alexander Kandzior
> |>
> |> Alkacon Software GmbH  - The OpenCms Experts
> |> http://www.alkacon.com - http://www.opencms.org
> |>
> |> Visit us on CeBIT expo in Hannover, Germany
> |> March 4 to March 9, 2008 - Hall 5 Stand F59/3
> |>
> |>
> |>> -----Original Message-----
> |>> From: opencms-dev-bounces at opencms.org
> |>> [mailto:opencms-dev-bounces at opencms.org] On Behalf Of Arash
> |>> Kaffamanesh
> |>> Sent: Saturday, February 23, 2008 9:25 AM
> |>> To: The OpenCms mailing list
> |>> Subject: Re: [opencms-dev] Security bug (or design flaw) with
> |>> Account Manager role
> |>>
> |>> hi,
> |>>
> |>> this issue has been resolved in CVS Head as Michael Moossen
> |>> wrote this
> |>> week and will be available in OpenCms 7.0.4 in short.
> |>> You have to upgrade to Head or wait for OpenCms 7.0.4.
> |>>
> |>> Kind Regards,
> |>> Arash
> |>>
> |>>
> |>> John Weible schrieb:
> |>>
> |>>> As our OpenCms installation grows, we're now needing to
> |>>>
> |>> delegate more
> |>>
> |>>> things to a broader set of staff.  One of those things is
> |>>>
> |>> we need to
> |>>
> |>>> enable some folks to do basic user management (specifically
> |>>> adding/removing users from groups).
> |>>>
> |>>> We're currently on 7.0.1.  So I tried granting the "Account
> |>>>
> |>> Manager"
> |>>
> |>>> role to a couple of our NON-ADMINISTRATOR users.  This, as
> |>>>
> |>> expected,
> |>>
> |>>> then allows them to add and remove groups for users.  The
> |>>>
> |>> system also
> |>>
> |>>> correctly figures out that since they are not themselves "Root
> |>>> Administrators", they are disallowed from promoting accounts to be
> |>>> Administrators.
> |>>>
> |>>> The fatal flaw is that the system does NOT prevent them
> |>>>
> |>> from changing
> |>>
> |>>> any Administrator's account password.
> |>>>
> |>>> Is there some different way to configure the system to
> |>>>
> |>> delegate this
> |>>
> |>>> ability without introducing such a compromise?
> |>>>
> |>>>
> |>>>
> |>> _______________________________________________
> |>> This mail is sent to you from the opencms-dev mailing list
> |>> To change your list options, or to unsubscribe from the list,
> |>> please visit
> |>> http://lists.opencms.org/mailman/listinfo/opencms-dev
> |>>
> |>>
> |>>
> |>
> |> _______________________________________________
> |> This mail is sent to you from the opencms-dev mailing list
> |> To change your list options, or to unsubscribe from the list, please
> visit
> |> http://lists.opencms.org/mailman/listinfo/opencms-dev
> |>
> |>
> |
> |
> |
> |
> | _______________________________________________
> | This mail is sent to you from the opencms-dev mailing list
> | To change your list options, or to unsubscribe from the list, please visit
> | http://lists.opencms.org/mailman/listinfo/opencms-dev
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFHwViOVKBy6qoVEvwRAnAmAKClacLEVqnJBLB2RxVXLYFcJtDqMwCgjTda
> p+FN80aNHiARtQp3Cpz/91s=
> =aL+L
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please visit
> http://lists.opencms.org/mailman/listinfo/opencms-dev