6.7 LTS: Possible security threat: Logging into Wiki A as admin may raise your privilege level in Wiki B
- Status
- Open
- Subject
- 6.7 LTS: Possible security threat: Logging into Wiki A as admin may raise your privilege level in Wiki B
- Version
- 6.x
- Category
- Error
- Feature request
- Feature
- Administration
Installer (profiles, upgrades and server-related issues)
Performance / Speed / Load / Compression / Cache
User Administration (Registration, Login & Banning) - Submitted by
- hman
- Lastmod by
- hman
- Rating
- Description
I looked if something like this has been reported previously, but didn't find something that completely fits, so I post this and apologize if I missed something.
Since I have already put some detail into a support request and at the moment I believe it only concerns two Wikis belonging to the same admin, here is a description:
Steps to reproduce:
1) Take any Tiki installation and move a new directory
2) Create a new DB with a copy of the original DB
3) Upgrade and start it up
4) Log into the old installation as admin
5) Find out you're admin on the new one, too.It may well be that for some admins this is a wanted behaviour like as a single-sign-on (SSO).
But it is my firm belief that any such behaviour is to be considerd a breach of security unless both admins have expressley activated this as a wanted behaviour. Possibly the problem also exists if two different admins operate two different Tikis on the same hosted volume, that somehow were created from one single predecessor, so maybe this is not as harmless as it might seem to be.
I do not know, but suspect, this could be a cookie issue.
Resolution could be that tiki-installer regenerates all security structures upon installation and/or upgrades, or at least asks the admin whether such should be reset. Also, there should be a button in the administration panel to reset this at any later time. In my opinion TikiWiki should at all times, if not told to behave otherwise, protect its instance against all other possible instances of itself...
At some point confusion may get so high to a user's browser that logging into Wiki B alone will not function, and you have to log into Wiki A to be able to access Wiki B. At the moment I experience this with my new 6.7 LTS and my old 1.9.8.3. sitting in different directories on the same volume, accessing to different MySQL DBs with differing user names and passwords...
- Importance
- 7
- Easy to solve?
- 6
- Priority
- 42
- Demonstrate Bug on Tiki 19+
-
This bug has been demonstrated on show2.tiki.org
Please demonstrate your bug on show2.tiki.org
- Demonstrate Bug (older Tiki versions)
-
This bug has been demonstrated on show.tikiwiki.org
Please demonstrate your bug on show.tikiwiki.org
Show.tiki.org is currently unavailableUnable to connect to show.tikiwiki.org. Please let us know of the problem so that we can do something about it. Thanks.
- Ticket ID
- 4229
- Created
- Monday 21 May, 2012 12:48:01 UTC
by hman - LastModif
- Friday 01 June, 2012 22:14:25 UTC