[opencms-dev] Security bug (or design flaw) with Account Manager role
John Weible
jweible at uiuc.edu
Tue Feb 26 22:29:55 CET 2008
Thanks very much, all, especially to Michael who says he's fixed it.
I'm glad to see I was able to describe an issue and start a thread that
is important to a number of you. (Some of our other issues seem to be
unique to our situation.)
Now we're looking forward to 7.0.4...
John Weible
Alexander Kandzior wrote:
>> great! Will the fix make it into 7.0.4?
>>
>
> Yes.
>
> Kind Regards,
> Alex.
>
>> -----Original Message-----
>> From: opencms-dev-bounces at opencms.org
>> [mailto:opencms-dev-bounces at opencms.org] On Behalf Of Fabian Huschka
>> Sent: Monday, February 25, 2008 11:57 AM
>> To: The OpenCms mailing list
>> Subject: Re: [opencms-dev] Security bug (or design flaw) with
>> Account Manager role
>>
>> Hello Michael,
>>
>>
>> great! Will the fix make it into 7.0.4?
>>
>>
>> \Fabian
>>
>>
>> Michael Moossen schrieb:
>>
>>> Hi, everybody!
>>>
>>> this bug has been fixed and just committed to the cvs HEAD.
>>>
>>> the implemented bugfix prevents account managers to change
>>>
>> anything of a
>>
>>> administrator account (ie. edit, change pwd, edit add
>>>
>> info, edit groups,
>>
>>> delete)
>>>
>>> Kind regards,
>>> Michael
>>>
>>> -------------------
>>>
>>> Alkacon Software GmbH - The OpenCms Experts
>>> http://www.alkacon.com - http://www.opencms.org
>>>
>>> Visit us on CeBIT expo in Hannover, Germany
>>> March 4 to March 9, 2008 - Hall 5 Stand F59/3
>>>
>>> Sebastian Himberger wrote:
>>> Hi,
>>>
>>> | Maybe an account manager should not be able to change any
>>>
>> data from an
>>
>>> admin
>>> | user at all?
>>>
>>> Imho this would be the best and easiest solution to prevent
>>>
>> this problem.
>>
>>> I'll second Arash and Fabian.
>>>
>>> best regards,
>>> Sebastian
>>>
>>> Arash Kaffamanesh schrieb:
>>> | Hi Alex,
>>> |
>>> |>> Maybe an account manager should not be able to change
>>>
>> any data from
>>
>>> an admin
>>> | user at all?
>>> |
>>> | Yes they should not be able to change Admin's password,
>>>
>> if the admin
>>
>>> forgets his passsword, he has to ask the database
>>>
>> administrator to reset
>>
>>> his pasword to "admin" like this:
>>> |
>>> | UPDATE CMS_USERS SET
>>>
>> USER_PASSWORD='ISMvKXpXpadDiUoOSoAfww==' WHERE
>>
>>> USER_NAME='Admin';
>>> |
>>> | In most cases Admin's have access to opencms database as
>>>
>> db root user
>>
>>> | and they can rest their own password, as I have to do
>>>
>> occaisonally ;o))
>>
>>> |
>>> | Kind Regards,
>>> | Arash
>>> |
>>> |
>>> |
>>> | Alexander Kandzior schrieb:
>>> |>> this issue has been resolved in CVS Head
>>> |>>
>>> |> Actually this was a different issue.
>>> |>
>>> |> The issue described by John exists and can be describes
>>>
>> like this:
>>
>>> The user
>>> |> manager may change the password of an Admin, then using
>>>
>> the Admin
>>
>>> account
>>> |> with the password now known to him to log in as the
>>>
>> Admin, thereby
>>
>>> |> "promoting" himself.
>>> |>
>>> |> However, an account manager doing this will lock out the
>>>
>> admin and
>>
>>> thereby
>>> |> making it quite obvious that something "strange" has
>>>
>> happend. So this
>>
>>> is at
>>> |> least an operation that leaves quite a big trail. One could argue
>>> that even
>>> |> an admin may forget his password, so it could be useful
>>>
>> that an account
>>
>>> |> manager can reset this.
>>> |>
>>> |> So the 2 options are:
>>> |>
>>> |> 1) account managers must never change the password of an admin
>>> |> 2) account managers should be able to change the
>>>
>> password of an admin
>>
>>> |>
>>> |> If 1) is the way to go ahead, what about the other data
>>>
>> of an admin
>>
>>> account?
>>> |> Maybe an account manager should not be able to change
>>>
>> any data from
>>
>>> an admin
>>> |> user at all?
>>> |>
>>> |> I would like some feedback on this issue. Please let me
>>>
>> know what you
>>
>>> think.
>>> |>
>>> |> Kind Regards,
>>> |> Alex.
>>> |>
>>> |> -------------------
>>> |> Alexander Kandzior
>>> |>
>>> |> Alkacon Software GmbH - The OpenCms Experts
>>> |> http://www.alkacon.com - http://www.opencms.org
>>> |>
>>> |> Visit us on CeBIT expo in Hannover, Germany
>>> |> March 4 to March 9, 2008 - Hall 5 Stand F59/3
>>> |>
>>> |>
>>> |>> -----Original Message-----
>>> |>> From: opencms-dev-bounces at opencms.org
>>> |>> [mailto:opencms-dev-bounces at opencms.org] On Behalf Of Arash
>>> |>> Kaffamanesh
>>> |>> Sent: Saturday, February 23, 2008 9:25 AM
>>> |>> To: The OpenCms mailing list
>>> |>> Subject: Re: [opencms-dev] Security bug (or design flaw) with
>>> |>> Account Manager role
>>> |>>
>>> |>> hi,
>>> |>>
>>> |>> this issue has been resolved in CVS Head as Michael Moossen
>>> |>> wrote this
>>> |>> week and will be available in OpenCms 7.0.4 in short.
>>> |>> You have to upgrade to Head or wait for OpenCms 7.0.4.
>>> |>>
>>> |>> Kind Regards,
>>> |>> Arash
>>> |>>
>>> |>>
>>> |>> John Weible schrieb:
>>> |>>
>>> |>>> As our OpenCms installation grows, we're now needing to
>>> |>>>
>>> |>> delegate more
>>> |>>
>>> |>>> things to a broader set of staff. One of those things is
>>> |>>>
>>> |>> we need to
>>> |>>
>>> |>>> enable some folks to do basic user management (specifically
>>> |>>> adding/removing users from groups).
>>> |>>>
>>> |>>> We're currently on 7.0.1. So I tried granting the "Account
>>> |>>>
>>> |>> Manager"
>>> |>>
>>> |>>> role to a couple of our NON-ADMINISTRATOR users. This, as
>>> |>>>
>>> |>> expected,
>>> |>>
>>> |>>> then allows them to add and remove groups for users. The
>>> |>>>
>>> |>> system also
>>> |>>
>>> |>>> correctly figures out that since they are not themselves "Root
>>> |>>> Administrators", they are disallowed from promoting
>>>
>> accounts to be
>>
>>> |>>> Administrators.
>>> |>>>
>>> |>>> The fatal flaw is that the system does NOT prevent them
>>> |>>>
>>> |>> from changing
>>> |>>
>>> |>>> any Administrator's account password.
>>> |>>>
>>> |>>> Is there some different way to configure the system to
>>> |>>>
>>> |>> delegate this
>>> |>>
>>> |>>> ability without introducing such a compromise?
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20080226/4fb2344a/attachment.htm>
More information about the opencms-dev
mailing list