[opencms-dev] Security bug (or design flaw) with Account Manager role
Alexander Kandzior
alex at opencms.org
Mon Feb 25 13:46:43 CET 2008
> great! Will the fix make it into 7.0.4?
Yes.
Kind Regards,
Alex.
-------------------
Alexander Kandzior
Alkacon Software GmbH - The OpenCms Experts
http://www.alkacon.com - http://www.opencms.org
Visit us on CeBIT expo in Hannover, Germany
March 4 to March 9, 2008 - Hall 5 Stand F59/3
> -----Original Message-----
> From: opencms-dev-bounces at opencms.org
> [mailto:opencms-dev-bounces at opencms.org] On Behalf Of Fabian Huschka
> Sent: Monday, February 25, 2008 11:57 AM
> To: The OpenCms mailing list
> Subject: Re: [opencms-dev] Security bug (or design flaw) with
> Account Manager role
>
> Hello Michael,
>
>
> great! Will the fix make it into 7.0.4?
>
>
> \Fabian
>
>
> Michael Moossen schrieb:
> > Hi, everybody!
> >
> > this bug has been fixed and just committed to the cvs HEAD.
> >
> > the implemented bugfix prevents account managers to change
> anything of a
> > administrator account (ie. edit, change pwd, edit add
> info, edit groups,
> > delete)
> >
> > Kind regards,
> > Michael
> >
> > -------------------
> >
> > Alkacon Software GmbH - The OpenCms Experts
> > http://www.alkacon.com - http://www.opencms.org
> >
> > Visit us on CeBIT expo in Hannover, Germany
> > March 4 to March 9, 2008 - Hall 5 Stand F59/3
> >
> > Sebastian Himberger wrote:
> > Hi,
> >
> > | Maybe an account manager should not be able to change any
> data from an
> > admin
> > | user at all?
> >
> > Imho this would be the best and easiest solution to prevent
> this problem.
> >
> > I'll second Arash and Fabian.
> >
> > best regards,
> > Sebastian
> >
> > Arash Kaffamanesh schrieb:
> > | Hi Alex,
> > |
> > |>> Maybe an account manager should not be able to change
> any data from
> > an admin
> > | user at all?
> > |
> > | Yes they should not be able to change Admin's password,
> if the admin
> > forgets his passsword, he has to ask the database
> administrator to reset
> > his pasword to "admin" like this:
> > |
> > | UPDATE CMS_USERS SET
> USER_PASSWORD='ISMvKXpXpadDiUoOSoAfww==' WHERE
> > USER_NAME='Admin';
> > |
> > | In most cases Admin's have access to opencms database as
> db root user
> > | and they can rest their own password, as I have to do
> occaisonally ;o))
> > |
> > | Kind Regards,
> > | Arash
> > |
> > |
> > |
> > | Alexander Kandzior schrieb:
> > |>> this issue has been resolved in CVS Head
> > |>>
> > |> Actually this was a different issue.
> > |>
> > |> The issue described by John exists and can be describes
> like this:
> > The user
> > |> manager may change the password of an Admin, then using
> the Admin
> > account
> > |> with the password now known to him to log in as the
> Admin, thereby
> > |> "promoting" himself.
> > |>
> > |> However, an account manager doing this will lock out the
> admin and
> > thereby
> > |> making it quite obvious that something "strange" has
> happend. So this
> > is at
> > |> least an operation that leaves quite a big trail. One could argue
> > that even
> > |> an admin may forget his password, so it could be useful
> that an account
> > |> manager can reset this.
> > |>
> > |> So the 2 options are:
> > |>
> > |> 1) account managers must never change the password of an admin
> > |> 2) account managers should be able to change the
> password of an admin
> > |>
> > |> If 1) is the way to go ahead, what about the other data
> of an admin
> > account?
> > |> Maybe an account manager should not be able to change
> any data from
> > an admin
> > |> user at all?
> > |>
> > |> I would like some feedback on this issue. Please let me
> know what you
> > think.
> > |>
> > |> Kind Regards,
> > |> Alex.
> > |>
> > |> -------------------
> > |> Alexander Kandzior
> > |>
> > |> Alkacon Software GmbH - The OpenCms Experts
> > |> http://www.alkacon.com - http://www.opencms.org
> > |>
> > |> Visit us on CeBIT expo in Hannover, Germany
> > |> March 4 to March 9, 2008 - Hall 5 Stand F59/3
> > |>
> > |>
> > |>> -----Original Message-----
> > |>> From: opencms-dev-bounces at opencms.org
> > |>> [mailto:opencms-dev-bounces at opencms.org] On Behalf Of Arash
> > |>> Kaffamanesh
> > |>> Sent: Saturday, February 23, 2008 9:25 AM
> > |>> To: The OpenCms mailing list
> > |>> Subject: Re: [opencms-dev] Security bug (or design flaw) with
> > |>> Account Manager role
> > |>>
> > |>> hi,
> > |>>
> > |>> this issue has been resolved in CVS Head as Michael Moossen
> > |>> wrote this
> > |>> week and will be available in OpenCms 7.0.4 in short.
> > |>> You have to upgrade to Head or wait for OpenCms 7.0.4.
> > |>>
> > |>> Kind Regards,
> > |>> Arash
> > |>>
> > |>>
> > |>> John Weible schrieb:
> > |>>
> > |>>> As our OpenCms installation grows, we're now needing to
> > |>>>
> > |>> delegate more
> > |>>
> > |>>> things to a broader set of staff. One of those things is
> > |>>>
> > |>> we need to
> > |>>
> > |>>> enable some folks to do basic user management (specifically
> > |>>> adding/removing users from groups).
> > |>>>
> > |>>> We're currently on 7.0.1. So I tried granting the "Account
> > |>>>
> > |>> Manager"
> > |>>
> > |>>> role to a couple of our NON-ADMINISTRATOR users. This, as
> > |>>>
> > |>> expected,
> > |>>
> > |>>> then allows them to add and remove groups for users. The
> > |>>>
> > |>> system also
> > |>>
> > |>>> correctly figures out that since they are not themselves "Root
> > |>>> Administrators", they are disallowed from promoting
> accounts to be
> > |>>> Administrators.
> > |>>>
> > |>>> The fatal flaw is that the system does NOT prevent them
> > |>>>
> > |>> from changing
> > |>>
> > |>>> any Administrator's account password.
> > |>>>
> > |>>> Is there some different way to configure the system to
> > |>>>
> > |>> delegate this
> > |>>
> > |>>> ability without introducing such a compromise?
> > |>>>
> > |>>>
> > |>>>
> > |>> _______________________________________________
> > |>> This mail is sent to you from the opencms-dev mailing list
> > |>> To change your list options, or to unsubscribe from the list,
> > |>> please visit
> > |>> http://lists.opencms.org/mailman/listinfo/opencms-dev
> > |>>
> > |>>
> > |>>
> > |>
> > |> _______________________________________________
> > |> This mail is sent to you from the opencms-dev mailing list
> > |> To change your list options, or to unsubscribe from the
> list, please
> > visit
> > |> http://lists.opencms.org/mailman/listinfo/opencms-dev
> > |>
> > |>
> > |
> > |
> > |
> > |
> > | _______________________________________________
> > | This mail is sent to you from the opencms-dev mailing list
> > | To change your list options, or to unsubscribe from the
> list, please
> > visit
> > | http://lists.opencms.org/mailman/listinfo/opencms-dev
> >
> > >
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list,
> please visit
> http://lists.opencms.org/mailman/listinfo/opencms-dev
>
> > _______________________________________________
> > This mail is sent to you from the opencms-dev mailing list
> > To change your list options, or to unsubscribe from the
> list, please visit
> > http://lists.opencms.org/mailman/listinfo/opencms-dev
>
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list,
> please visit
> http://lists.opencms.org/mailman/listinfo/opencms-dev
>
>
More information about the opencms-dev
mailing list