[opencms-dev] Security bug (or design flaw) with Account Manager role

Alexander Kandzior alex at opencms.org
Mon Feb 25 13:46:43 CET 2008 

> great!  Will the fix make it into 7.0.4?

Yes.

Kind Regards,
Alex.
 
-------------------
Alexander Kandzior

Alkacon Software GmbH  - The OpenCms Experts                    
http://www.alkacon.com - http://www.opencms.org                 
                                                                
Visit us on CeBIT expo in Hannover, Germany                      
March 4 to March 9, 2008 - Hall 5 Stand F59/3                       

> -----Original Message-----
> From: opencms-dev-bounces at opencms.org 
> [mailto:opencms-dev-bounces at opencms.org] On Behalf Of Fabian Huschka
> Sent: Monday, February 25, 2008 11:57 AM
> To: The OpenCms mailing list
> Subject: Re: [opencms-dev] Security bug (or design flaw) with 
> Account Manager role
> 
> Hello Michael,
> 
> 
> great!  Will the fix make it into 7.0.4?
> 
> 
> \Fabian
> 
> 
> Michael Moossen schrieb:
> >  Hi, everybody!
> >
> >  this bug has been fixed and just committed to the cvs HEAD.
> >
> >  the implemented bugfix prevents account managers to change 
> anything of a
> >  administrator account (ie. edit, change pwd, edit add 
> info, edit groups,
> >  delete)
> >
> >  Kind regards,
> >  Michael
> >
> >  -------------------
> >
> >  Alkacon Software GmbH  - The OpenCms Experts
> >  http://www.alkacon.com - http://www.opencms.org
> >
> >  Visit us on CeBIT expo in Hannover, Germany
> >  March 4 to March 9, 2008 - Hall 5 Stand F59/3
> >
> >  Sebastian Himberger wrote:
> > Hi,
> >
> > | Maybe an account manager should not be able to change any 
> data from an
> > admin
> > | user at all?
> >
> > Imho this would be the best and easiest solution to prevent 
> this problem.
> >
> > I'll second Arash and Fabian.
> >
> > best regards,
> > Sebastian
> >
> > Arash Kaffamanesh schrieb:
> > | Hi Alex,
> > |
> > |>> Maybe an account manager should not be able to change 
> any data from
> > an admin
> > | user at all?
> > |
> > | Yes they should not be able to change Admin's password, 
> if the admin
> > forgets his passsword, he has to ask the database 
> administrator to reset
> > his pasword to "admin" like this:
> > |
> > | UPDATE CMS_USERS SET 
> USER_PASSWORD='ISMvKXpXpadDiUoOSoAfww==' WHERE
> > USER_NAME='Admin';
> > |
> > | In most cases Admin's have access to opencms database as 
> db root user
> > | and they can rest their own password, as I have to do 
> occaisonally ;o))
> > |
> > | Kind Regards,
> > | Arash
> > |
> > |
> > |
> > | Alexander Kandzior schrieb:
> > |>> this issue has been resolved in CVS Head
> > |>>
> > |> Actually this was a different issue.
> > |>
> > |> The issue described by John exists and can be describes 
> like this:
> > The user
> > |> manager may change the password of an Admin, then using 
> the Admin 
> > account
> > |> with the password now known to him to log in as the 
> Admin, thereby
> > |> "promoting" himself.
> > |>
> > |> However, an account manager doing this will lock out the 
> admin and
> > thereby
> > |> making it quite obvious that something "strange" has 
> happend. So this
> > is at
> > |> least an operation that leaves quite a big trail. One could argue
> > that even
> > |> an admin may forget his password, so it could be useful 
> that an account
> > |> manager can reset this.
> > |>
> > |> So the 2 options are:
> > |>
> > |> 1) account managers must never change the password of an admin
> > |> 2) account managers should be able to change the 
> password of an admin
> > |>
> > |> If 1) is the way to go ahead, what about the other data 
> of an admin
> > account?
> > |> Maybe an account manager should not be able to change 
> any data from
> > an admin
> > |> user at all?
> > |>
> > |> I would like some feedback on this issue. Please let me 
> know what you
> > think.
> > |>
> > |> Kind Regards,
> > |> Alex.
> > |>
> > |> -------------------
> > |> Alexander Kandzior
> > |>
> > |> Alkacon Software GmbH  - The OpenCms Experts
> > |> http://www.alkacon.com - http://www.opencms.org
> > |>
> > |> Visit us on CeBIT expo in Hannover, Germany
> > |> March 4 to March 9, 2008 - Hall 5 Stand F59/3
> > |>
> > |>
> > |>> -----Original Message-----
> > |>> From: opencms-dev-bounces at opencms.org
> > |>> [mailto:opencms-dev-bounces at opencms.org] On Behalf Of Arash
> > |>> Kaffamanesh
> > |>> Sent: Saturday, February 23, 2008 9:25 AM
> > |>> To: The OpenCms mailing list
> > |>> Subject: Re: [opencms-dev] Security bug (or design flaw) with
> > |>> Account Manager role
> > |>>
> > |>> hi,
> > |>>
> > |>> this issue has been resolved in CVS Head as Michael Moossen
> > |>> wrote this
> > |>> week and will be available in OpenCms 7.0.4 in short.
> > |>> You have to upgrade to Head or wait for OpenCms 7.0.4.
> > |>>
> > |>> Kind Regards,
> > |>> Arash
> > |>>
> > |>>
> > |>> John Weible schrieb:
> > |>>
> > |>>> As our OpenCms installation grows, we're now needing to
> > |>>>
> > |>> delegate more
> > |>>
> > |>>> things to a broader set of staff.  One of those things is
> > |>>>
> > |>> we need to
> > |>>
> > |>>> enable some folks to do basic user management (specifically
> > |>>> adding/removing users from groups).
> > |>>>
> > |>>> We're currently on 7.0.1.  So I tried granting the "Account
> > |>>>
> > |>> Manager"
> > |>>
> > |>>> role to a couple of our NON-ADMINISTRATOR users.  This, as
> > |>>>
> > |>> expected,
> > |>>
> > |>>> then allows them to add and remove groups for users.  The
> > |>>>
> > |>> system also
> > |>>
> > |>>> correctly figures out that since they are not themselves "Root
> > |>>> Administrators", they are disallowed from promoting 
> accounts to be
> > |>>> Administrators.
> > |>>>
> > |>>> The fatal flaw is that the system does NOT prevent them
> > |>>>
> > |>> from changing
> > |>>
> > |>>> any Administrator's account password.
> > |>>>
> > |>>> Is there some different way to configure the system to
> > |>>>
> > |>> delegate this
> > |>>
> > |>>> ability without introducing such a compromise?
> > |>>>
> > |>>>
> > |>>>
> > |>> _______________________________________________
> > |>> This mail is sent to you from the opencms-dev mailing list
> > |>> To change your list options, or to unsubscribe from the list,
> > |>> please visit
> > |>> http://lists.opencms.org/mailman/listinfo/opencms-dev
> > |>>
> > |>>
> > |>>
> > |>
> > |> _______________________________________________
> > |> This mail is sent to you from the opencms-dev mailing list
> > |> To change your list options, or to unsubscribe from the 
> list, please
> > visit
> > |> http://lists.opencms.org/mailman/listinfo/opencms-dev
> > |>
> > |>
> > |
> > |
> > |
> > |
> > | _______________________________________________
> > | This mail is sent to you from the opencms-dev mailing list
> > | To change your list options, or to unsubscribe from the 
> list, please 
> > visit
> > | http://lists.opencms.org/mailman/listinfo/opencms-dev
> >
> > >
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, 
> please visit
> http://lists.opencms.org/mailman/listinfo/opencms-dev
> 
> >  _______________________________________________
> >  This mail is sent to you from the opencms-dev mailing list
> >  To change your list options, or to unsubscribe from the 
> list, please visit
> >  http://lists.opencms.org/mailman/listinfo/opencms-dev
> 
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, 
> please visit
> http://lists.opencms.org/mailman/listinfo/opencms-dev
> 
>

More information about the opencms-dev mailing list