[TYPO3-core] Gremlin #1573: Admin user is logged out on testingbeuser settings
Sebastian Kurfuerst
sebastian at garbage-group.de
Sun Nov 6 21:52:13 CET 2005
Hi Masi,
> To protect it even more a checkbox in the user module could be placed.
> So that the switch-back feature must be anabled manually.
I don't think this is needed... See below. If all new features will have
to be activated this is quite impractical for the user...
> Can the feature be a point of an attack? Yes, if a non-admin TYPO3
> user or any DB-user directly somehow manages to manipulate the session
> table.
Well, if the user can manipulate the sessions table he can simply set
ses_userid and reload the backend. This is even easier than using the
switchback feature... Thus I think the risk of attack is not increased.
Greets,
Sebastian
--
Sebastian Kurfuerst
http://garbage-group.de/kontakt.html
More information about the TYPO3-team-core
mailing list