<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Thanks very much, all, especially to Michael who says he's fixed it.
I'm glad to see I was able to describe an issue and start a thread that
is important to a number of you. (Some of our other issues seem to be
unique to our situation.)<br>
<br>
Now we're looking forward to 7.0.4... <br>
<br>
John Weible<br>
<br>
<br>
Alexander Kandzior wrote:
<blockquote cite="mid:005001c877ac$79e65e80$d700a8c0@PLAGUEIS"
type="cite">
<blockquote type="cite">
<pre wrap="">great! Will the fix make it into 7.0.4?
</pre>
</blockquote>
<pre wrap=""><!---->
Yes.
Kind Regards,
Alex.
</pre>
<blockquote type="cite">
<pre wrap="">-----Original Message-----
From: <a class="moz-txt-link-abbreviated" href="mailto:opencms-dev-bounces@opencms.org">opencms-dev-bounces@opencms.org</a>
[<a class="moz-txt-link-freetext" href="mailto:opencms-dev-bounces@opencms.org">mailto:opencms-dev-bounces@opencms.org</a>] On Behalf Of Fabian Huschka
Sent: Monday, February 25, 2008 11:57 AM
To: The OpenCms mailing list
Subject: Re: [opencms-dev] Security bug (or design flaw) with
Account Manager role
Hello Michael,
great! Will the fix make it into 7.0.4?
\Fabian
Michael Moossen schrieb:
</pre>
<blockquote type="cite">
<pre wrap=""> Hi, everybody!
this bug has been fixed and just committed to the cvs HEAD.
the implemented bugfix prevents account managers to change
</pre>
</blockquote>
<pre wrap="">anything of a
</pre>
<blockquote type="cite">
<pre wrap=""> administrator account (ie. edit, change pwd, edit add
</pre>
</blockquote>
<pre wrap="">info, edit groups,
</pre>
<blockquote type="cite">
<pre wrap=""> delete)
Kind regards,
Michael
-------------------
Alkacon Software GmbH - The OpenCms Experts
<a class="moz-txt-link-freetext" href="http://www.alkacon.com">http://www.alkacon.com</a> - <a class="moz-txt-link-freetext" href="http://www.opencms.org">http://www.opencms.org</a>
Visit us on CeBIT expo in Hannover, Germany
March 4 to March 9, 2008 - Hall 5 Stand F59/3
Sebastian Himberger wrote:
Hi,
| Maybe an account manager should not be able to change any
</pre>
</blockquote>
<pre wrap="">data from an
</pre>
<blockquote type="cite">
<pre wrap="">admin
| user at all?
Imho this would be the best and easiest solution to prevent
</pre>
</blockquote>
<pre wrap="">this problem.
</pre>
<blockquote type="cite">
<pre wrap="">I'll second Arash and Fabian.
best regards,
Sebastian
Arash Kaffamanesh schrieb:
| Hi Alex,
|
|>> Maybe an account manager should not be able to change
</pre>
</blockquote>
<pre wrap="">any data from
</pre>
<blockquote type="cite">
<pre wrap="">an admin
| user at all?
|
| Yes they should not be able to change Admin's password,
</pre>
</blockquote>
<pre wrap="">if the admin
</pre>
<blockquote type="cite">
<pre wrap="">forgets his passsword, he has to ask the database
</pre>
</blockquote>
<pre wrap="">administrator to reset
</pre>
<blockquote type="cite">
<pre wrap="">his pasword to "admin" like this:
|
| UPDATE CMS_USERS SET
</pre>
</blockquote>
<pre wrap="">USER_PASSWORD='ISMvKXpXpadDiUoOSoAfww==' WHERE
</pre>
<blockquote type="cite">
<pre wrap="">USER_NAME='Admin';
|
| In most cases Admin's have access to opencms database as
</pre>
</blockquote>
<pre wrap="">db root user
</pre>
<blockquote type="cite">
<pre wrap="">| and they can rest their own password, as I have to do
</pre>
</blockquote>
<pre wrap="">occaisonally ;o))
</pre>
<blockquote type="cite">
<pre wrap="">|
| Kind Regards,
| Arash
|
|
|
| Alexander Kandzior schrieb:
|>> this issue has been resolved in CVS Head
|>>
|> Actually this was a different issue.
|>
|> The issue described by John exists and can be describes
</pre>
</blockquote>
<pre wrap="">like this:
</pre>
<blockquote type="cite">
<pre wrap="">The user
|> manager may change the password of an Admin, then using
</pre>
</blockquote>
<pre wrap="">the Admin
</pre>
<blockquote type="cite">
<pre wrap="">account
|> with the password now known to him to log in as the
</pre>
</blockquote>
<pre wrap="">Admin, thereby
</pre>
<blockquote type="cite">
<pre wrap="">|> "promoting" himself.
|>
|> However, an account manager doing this will lock out the
</pre>
</blockquote>
<pre wrap="">admin and
</pre>
<blockquote type="cite">
<pre wrap="">thereby
|> making it quite obvious that something "strange" has
</pre>
</blockquote>
<pre wrap="">happend. So this
</pre>
<blockquote type="cite">
<pre wrap="">is at
|> least an operation that leaves quite a big trail. One could argue
that even
|> an admin may forget his password, so it could be useful
</pre>
</blockquote>
<pre wrap="">that an account
</pre>
<blockquote type="cite">
<pre wrap="">|> manager can reset this.
|>
|> So the 2 options are:
|>
|> 1) account managers must never change the password of an admin
|> 2) account managers should be able to change the
</pre>
</blockquote>
<pre wrap="">password of an admin
</pre>
<blockquote type="cite">
<pre wrap="">|>
|> If 1) is the way to go ahead, what about the other data
</pre>
</blockquote>
<pre wrap="">of an admin
</pre>
<blockquote type="cite">
<pre wrap="">account?
|> Maybe an account manager should not be able to change
</pre>
</blockquote>
<pre wrap="">any data from
</pre>
<blockquote type="cite">
<pre wrap="">an admin
|> user at all?
|>
|> I would like some feedback on this issue. Please let me
</pre>
</blockquote>
<pre wrap="">know what you
</pre>
<blockquote type="cite">
<pre wrap="">think.
|>
|> Kind Regards,
|> Alex.
|>
|> -------------------
|> Alexander Kandzior
|>
|> Alkacon Software GmbH - The OpenCms Experts
|> <a class="moz-txt-link-freetext" href="http://www.alkacon.com">http://www.alkacon.com</a> - <a class="moz-txt-link-freetext" href="http://www.opencms.org">http://www.opencms.org</a>
|>
|> Visit us on CeBIT expo in Hannover, Germany
|> March 4 to March 9, 2008 - Hall 5 Stand F59/3
|>
|>
|>> -----Original Message-----
|>> From: <a class="moz-txt-link-abbreviated" href="mailto:opencms-dev-bounces@opencms.org">opencms-dev-bounces@opencms.org</a>
|>> [<a class="moz-txt-link-freetext" href="mailto:opencms-dev-bounces@opencms.org">mailto:opencms-dev-bounces@opencms.org</a>] On Behalf Of Arash
|>> Kaffamanesh
|>> Sent: Saturday, February 23, 2008 9:25 AM
|>> To: The OpenCms mailing list
|>> Subject: Re: [opencms-dev] Security bug (or design flaw) with
|>> Account Manager role
|>>
|>> hi,
|>>
|>> this issue has been resolved in CVS Head as Michael Moossen
|>> wrote this
|>> week and will be available in OpenCms 7.0.4 in short.
|>> You have to upgrade to Head or wait for OpenCms 7.0.4.
|>>
|>> Kind Regards,
|>> Arash
|>>
|>>
|>> John Weible schrieb:
|>>
|>>> As our OpenCms installation grows, we're now needing to
|>>>
|>> delegate more
|>>
|>>> things to a broader set of staff. One of those things is
|>>>
|>> we need to
|>>
|>>> enable some folks to do basic user management (specifically
|>>> adding/removing users from groups).
|>>>
|>>> We're currently on 7.0.1. So I tried granting the "Account
|>>>
|>> Manager"
|>>
|>>> role to a couple of our NON-ADMINISTRATOR users. This, as
|>>>
|>> expected,
|>>
|>>> then allows them to add and remove groups for users. The
|>>>
|>> system also
|>>
|>>> correctly figures out that since they are not themselves "Root
|>>> Administrators", they are disallowed from promoting
</pre>
</blockquote>
<pre wrap="">accounts to be
</pre>
<blockquote type="cite">
<pre wrap="">|>>> Administrators.
|>>>
|>>> The fatal flaw is that the system does NOT prevent them
|>>>
|>> from changing
|>>
|>>> any Administrator's account password.
|>>>
|>>> Is there some different way to configure the system to
|>>>
|>> delegate this
|>>
|>>> ability without introducing such a compromise?
</pre>
</blockquote>
</blockquote>
</blockquote>
</body>
</html>