[opencms-dev] Security bug (or design flaw) with Account Manager role

John Weible jweible at uiuc.edu
Tue Feb 26 22:29:55 CET 2008


Thanks very much, all, especially to Michael who says he's fixed it.  
I'm glad to see I was able to describe an issue and start a thread that 
is important to a number of you.  (Some of our other issues seem to be 
unique to our situation.)

Now we're looking forward to 7.0.4... 

John Weible


Alexander Kandzior wrote:
>> great!  Will the fix make it into 7.0.4?
>>     
>
> Yes.
>
> Kind Regards,
> Alex.                    
>   
>> -----Original Message-----
>> From: opencms-dev-bounces at opencms.org 
>> [mailto:opencms-dev-bounces at opencms.org] On Behalf Of Fabian Huschka
>> Sent: Monday, February 25, 2008 11:57 AM
>> To: The OpenCms mailing list
>> Subject: Re: [opencms-dev] Security bug (or design flaw) with 
>> Account Manager role
>>
>> Hello Michael,
>>
>>
>> great!  Will the fix make it into 7.0.4?
>>
>>
>> \Fabian
>>
>>
>> Michael Moossen schrieb:
>>     
>>>  Hi, everybody!
>>>
>>>  this bug has been fixed and just committed to the cvs HEAD.
>>>
>>>  the implemented bugfix prevents account managers to change 
>>>       
>> anything of a
>>     
>>>  administrator account (ie. edit, change pwd, edit add 
>>>       
>> info, edit groups,
>>     
>>>  delete)
>>>
>>>  Kind regards,
>>>  Michael
>>>
>>>  -------------------
>>>
>>>  Alkacon Software GmbH  - The OpenCms Experts
>>>  http://www.alkacon.com - http://www.opencms.org
>>>
>>>  Visit us on CeBIT expo in Hannover, Germany
>>>  March 4 to March 9, 2008 - Hall 5 Stand F59/3
>>>
>>>  Sebastian Himberger wrote:
>>> Hi,
>>>
>>> | Maybe an account manager should not be able to change any 
>>>       
>> data from an
>>     
>>> admin
>>> | user at all?
>>>
>>> Imho this would be the best and easiest solution to prevent 
>>>       
>> this problem.
>>     
>>> I'll second Arash and Fabian.
>>>
>>> best regards,
>>> Sebastian
>>>
>>> Arash Kaffamanesh schrieb:
>>> | Hi Alex,
>>> |
>>> |>> Maybe an account manager should not be able to change 
>>>       
>> any data from
>>     
>>> an admin
>>> | user at all?
>>> |
>>> | Yes they should not be able to change Admin's password, 
>>>       
>> if the admin
>>     
>>> forgets his passsword, he has to ask the database 
>>>       
>> administrator to reset
>>     
>>> his pasword to "admin" like this:
>>> |
>>> | UPDATE CMS_USERS SET 
>>>       
>> USER_PASSWORD='ISMvKXpXpadDiUoOSoAfww==' WHERE
>>     
>>> USER_NAME='Admin';
>>> |
>>> | In most cases Admin's have access to opencms database as 
>>>       
>> db root user
>>     
>>> | and they can rest their own password, as I have to do 
>>>       
>> occaisonally ;o))
>>     
>>> |
>>> | Kind Regards,
>>> | Arash
>>> |
>>> |
>>> |
>>> | Alexander Kandzior schrieb:
>>> |>> this issue has been resolved in CVS Head
>>> |>>
>>> |> Actually this was a different issue.
>>> |>
>>> |> The issue described by John exists and can be describes 
>>>       
>> like this:
>>     
>>> The user
>>> |> manager may change the password of an Admin, then using 
>>>       
>> the Admin 
>>     
>>> account
>>> |> with the password now known to him to log in as the 
>>>       
>> Admin, thereby
>>     
>>> |> "promoting" himself.
>>> |>
>>> |> However, an account manager doing this will lock out the 
>>>       
>> admin and
>>     
>>> thereby
>>> |> making it quite obvious that something "strange" has 
>>>       
>> happend. So this
>>     
>>> is at
>>> |> least an operation that leaves quite a big trail. One could argue
>>> that even
>>> |> an admin may forget his password, so it could be useful 
>>>       
>> that an account
>>     
>>> |> manager can reset this.
>>> |>
>>> |> So the 2 options are:
>>> |>
>>> |> 1) account managers must never change the password of an admin
>>> |> 2) account managers should be able to change the 
>>>       
>> password of an admin
>>     
>>> |>
>>> |> If 1) is the way to go ahead, what about the other data 
>>>       
>> of an admin
>>     
>>> account?
>>> |> Maybe an account manager should not be able to change 
>>>       
>> any data from
>>     
>>> an admin
>>> |> user at all?
>>> |>
>>> |> I would like some feedback on this issue. Please let me 
>>>       
>> know what you
>>     
>>> think.
>>> |>
>>> |> Kind Regards,
>>> |> Alex.
>>> |>
>>> |> -------------------
>>> |> Alexander Kandzior
>>> |>
>>> |> Alkacon Software GmbH  - The OpenCms Experts
>>> |> http://www.alkacon.com - http://www.opencms.org
>>> |>
>>> |> Visit us on CeBIT expo in Hannover, Germany
>>> |> March 4 to March 9, 2008 - Hall 5 Stand F59/3
>>> |>
>>> |>
>>> |>> -----Original Message-----
>>> |>> From: opencms-dev-bounces at opencms.org
>>> |>> [mailto:opencms-dev-bounces at opencms.org] On Behalf Of Arash
>>> |>> Kaffamanesh
>>> |>> Sent: Saturday, February 23, 2008 9:25 AM
>>> |>> To: The OpenCms mailing list
>>> |>> Subject: Re: [opencms-dev] Security bug (or design flaw) with
>>> |>> Account Manager role
>>> |>>
>>> |>> hi,
>>> |>>
>>> |>> this issue has been resolved in CVS Head as Michael Moossen
>>> |>> wrote this
>>> |>> week and will be available in OpenCms 7.0.4 in short.
>>> |>> You have to upgrade to Head or wait for OpenCms 7.0.4.
>>> |>>
>>> |>> Kind Regards,
>>> |>> Arash
>>> |>>
>>> |>>
>>> |>> John Weible schrieb:
>>> |>>
>>> |>>> As our OpenCms installation grows, we're now needing to
>>> |>>>
>>> |>> delegate more
>>> |>>
>>> |>>> things to a broader set of staff.  One of those things is
>>> |>>>
>>> |>> we need to
>>> |>>
>>> |>>> enable some folks to do basic user management (specifically
>>> |>>> adding/removing users from groups).
>>> |>>>
>>> |>>> We're currently on 7.0.1.  So I tried granting the "Account
>>> |>>>
>>> |>> Manager"
>>> |>>
>>> |>>> role to a couple of our NON-ADMINISTRATOR users.  This, as
>>> |>>>
>>> |>> expected,
>>> |>>
>>> |>>> then allows them to add and remove groups for users.  The
>>> |>>>
>>> |>> system also
>>> |>>
>>> |>>> correctly figures out that since they are not themselves "Root
>>> |>>> Administrators", they are disallowed from promoting 
>>>       
>> accounts to be
>>     
>>> |>>> Administrators.
>>> |>>>
>>> |>>> The fatal flaw is that the system does NOT prevent them
>>> |>>>
>>> |>> from changing
>>> |>>
>>> |>>> any Administrator's account password.
>>> |>>>
>>> |>>> Is there some different way to configure the system to
>>> |>>>
>>> |>> delegate this
>>> |>>
>>> |>>> ability without introducing such a compromise?
>>>       
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20080226/4fb2344a/attachment.htm>


More information about the opencms-dev mailing list