[TYPO3-core] Gremlin #1573: Admin user is logged outon testingbeuser settings

Martin Kutschker Martin.Kutschker at blackbox.net
Sun Nov 6 22:03:37 CET 2005

Sebastian Kurfuerst <sebastian at garbage-group.de> writes on 
Sun, 06 Nov 2005 21:52:13 +0100 (MET):

> Hi Masi,
> > To protect it even more a checkbox in the user module could be
> > placed.
> > So that the switch-back feature must be anabled manually.
> I don't think this is needed... See below. If all new features will
> have to be activated this is quite impractical for the user...

Potentially dangerous features should not be triggered easily. and ticking a checkbox is not that complicated.

> > Can the feature be a point of an attack? Yes, if a non-admin TYPO3
> > user or any DB-user directly somehow manages to manipulate the
> > session table. 
> Well, if the user can manipulate the sessions table he can simply set
> ses_userid and reload the backend. This is even easier than using the
> switchback feature... Thus I think the risk of attack is not
> increased.



More information about the TYPO3-team-core mailing list