Security Flaw when giving permission to Sign In as User

Permalink 0 0 Browser Info Environment
As 'Super User' I can give other Administrators permission to 'Sign In as User'. However, having given them this permission, they can now sign in as me and do whatever they want with the system.

As a minimum general principle, someone should never be able to use the 'Sign In as User' facility to sign in as the Super User (just leave the button out when viewing the super user account, or better, only let the super user view/edit the super user account details)

Maybe not important on small systems, but on bigger systems with multiple administrators and multiple levels of administration, this is important. Ideally I would like to set up a restricted 'helper' level of administrator, who can sign in as a regular user to help them out, but not sign in as any higher level of administrator.

If there is time and resources to do more than the minimum above, then when granting the permission to 'Sign In as User' could restrict it selectively to group(s) of users.

Status: New

Still Valid:

This bug is valid a newer version of concrete5. View Current Bug
JohntheFish replied on at Permalink
The following change will fix the immediate issue:

line 335: if ( ($uo->getUserID() != $u->getUserID()) && ($uo->getUserID() != USER_SUPER_ID)) {
JohntheFish replied on at Permalink
To prevent anyone but the super user from editing super user details, changes to /concrete/elements/users/search_results.php
line 76...:
<tr class="ccm-list-record <?php echo $striped?>"><?php
$u = new User();
if (($u->getUserID() != USER_SUPER_ID) && ($ui->getUserID() == USER_SUPER_ID)){?>
  <td> </td>
<?php } else { ?>
  <td class="ccm-user-list-cb" style="vertical-align: middle !important"><input type="checkbox" value="<?php echo $ui->getUserID()?>" user-email="<?php echo $ui->getUserEmail()?>" user-name="<?php echo $ui->getUserName()?>" /></td>
foreach($columns->getColumns() as $col) { ?>
  <?php  if ($col->getColumnKey() == 'uName') { 
    if (($u->getUserID() != USER_SUPER_ID) && ($ui->getUserID() == USER_SUPER_ID)){
    ?><td><?php echo $ui->getUserName()?></td><?php  
    } else {
    ?><td><a href="<?php echo $action?>"><?php echo $ui->getUserName()?></a></td><?php

concrete5 Environment Information


Browser User-Agent String

Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11