[TYPO3-core] Gremlin #1573: Admin user is logged outon testingbeuser settings
Martin Kutschker
Martin.Kutschker at blackbox.net
Sun Nov 6 22:03:37 CET 2005
Sebastian Kurfuerst <sebastian at garbage-group.de> writes on
Sun, 06 Nov 2005 21:52:13 +0100 (MET):
> Hi Masi,
>
> > To protect it even more a checkbox in the user module could be
> > placed.
> > So that the switch-back feature must be anabled manually.
>
> I don't think this is needed... See below. If all new features will
> have to be activated this is quite impractical for the user...
Potentially dangerous features should not be triggered easily. and ticking a checkbox is not that complicated.
> > Can the feature be a point of an attack? Yes, if a non-admin TYPO3
> > user or any DB-user directly somehow manages to manipulate the
> > session table.
>
> Well, if the user can manipulate the sessions table he can simply set
> ses_userid and reload the backend. This is even easier than using the
> switchback feature... Thus I think the risk of attack is not
> increased.
Ouch!
Masi
More information about the TYPO3-team-core
mailing list