Security Flaw when giving permission to Sign In as User

March 02, 2012 at 6:08 AM Permalink 0

As 'Super User' I can give other Administrators permission to 'Sign In as User'. However, having given them this permission, they can now sign in as me and do whatever they want with the system.

As a minimum general principle, someone should never be able to use the 'Sign In as User' facility to sign in as the Super User (just leave the button out when viewing the super user account, or better, only let the super user view/edit the super user account details)

Maybe not important on small systems, but on bigger systems with multiple administrators and multiple levels of administration, this is important. Ideally I would like to set up a restricted 'helper' level of administrator, who can sign in as a regular user to help them out, but not sign in as any higher level of administrator.

If there is time and resources to do more than the minimum above, then when granting the permission to 'Sign In as User' could restrict it selectively to group(s) of users.

Tags:

security, Permission, Administrator, super user

Status:	New

Still Valid:

This bug is valid a newer version of concrete5. View Current Bug

JohntheFish replied on Mar 2, 2012 at 6:30 am Permalink

The following change will fix the immediate issue:

File:
/concrete/single_pages/dashboard/users/search.php

line 335: if ( ($uo->getUserID() != $u->getUserID()) && ($uo->getUserID() != USER_SUPER_ID)) {

JohntheFish replied on Mar 2, 2012 at 6:58 am Permalink

To prevent anyone but the super user from editing super user details, changes to /concrete/elements/users/search_results.php

line 76...:
<tr class="ccm-list-record <?php echo $striped?>"><?php
$u = new User();
if (($u->getUserID() != USER_SUPER_ID) && ($ui->getUserID() == USER_SUPER_ID)){?>
  <td> </td>
<?php } else { ?>
  <td class="ccm-user-list-cb" style="vertical-align: middle !important"><input type="checkbox" value="<?php echo $ui->getUserID()?>" user-email="<?php echo $ui->getUserEmail()?>" user-name="<?php echo $ui->getUserName()?>" /></td>
<?php
}
foreach($columns->getColumns() as $col) { ?>
  <?php  if ($col->getColumnKey() == 'uName') { 
    if (($u->getUserID() != USER_SUPER_ID) && ($ui->getUserID() == USER_SUPER_ID)){
    ?><td><?php echo $ui->getUserName()?></td><?php  
    } else {
    ?><td><a href="<?php echo $action?>"><?php echo $ui->getUserName()?></a></td><?php

Viewing 15 lines of 21 lines. View entire code block.

 
line 76...:
<tr class="ccm-list-record <?php echo $striped?>"><?php
$u = new User();
if (($u->getUserID() != USER_SUPER_ID) && ($ui->getUserID() == USER_SUPER_ID)){?>
  <td> </td>
<?php } else { ?>
  <td class="ccm-user-list-cb" style="vertical-align: middle !important"><input type="checkbox" value="<?php echo $ui->getUserID()?>" user-email="<?php echo $ui->getUserEmail()?>" user-name="<?php echo $ui->getUserName()?>" /></td>
<?php
}
foreach($columns->getColumns() as $col) { ?>
  <?php  if ($col->getColumnKey() == 'uName') { 
    if (($u->getUserID() != USER_SUPER_ID) && ($ui->getUserID() == USER_SUPER_ID)){
    ?><td><?php echo $ui->getUserName()?></td><?php  
    } else {
    ?><td><a href="<?php echo $action?>"><?php echo $ui->getUserName()?></a></td><?php  
    }
  } else { ?>
    <td><?php echo $col->getColumnValue($ui)?></td>
  <?php  } ?>
<?php 
} ?></tr>

Confirm Bug

Copy To Current

I have verified this bug still exists in the current version of concrete5.

Copy To Current Version

concrete5 Environment Information

5.5.1

Browser User-Agent String

Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11

Delete Post

You are allowed to delete your post for 5 minutes after it's posted.

Delete

Sign In?

You must have a user account and be signed to perform this action.