Who is trustworthy?

Posted on December 05, 2009 by Marcus.

Interesting question, isn't it?


First let me explain which roles interact with a TYPO3 installations.

  • TYPO3 installation administrators
  • website editors a.k.a. backend editors
  • privileged website users a.k.a. frontend users
  • unprivileged website users

Most of us will agree that last two roles are not trustworthy. This is obviously the case for unprivileged website users as a nobody knows who will finally access the website in the internet. A frontend user registration in most cases will accept any user. Registering process consists of filling form fields with user data (email address), following a confirmation link in a mail generated by the TYPO3 system and you're done.

Now we're getting to a more disputable role, backend users. During incident handling in the TYPO3 Security Team we see a lot of TYPO3 extension developers making false assumptions. They assume that all backend users are good guys and therefore will gracefully accept any input (e.g. plugin configuration).
This might be true for a website of a kindergarten located in a small village where one kindergarten teacher takes care of the website as backend editor.
Please think bigger! TYPO3 is considered to be an Enterprise CMS. TYPO3 is used for educational institutes (universities) with dozens of website editors (professors, employees, student employees). It is used for huge NGOs and for multi-national companies with distributed departments worldwide. Then you are dealing with hundreds of backend users.

In case of such huge deployments it's simply impossible for an admin or a team of admins to know everybody personally. Decisions which one to grant editor rights are most likely not to be taken by admins any more.

It does take only one curious guy who's trying to exploit a vulnerability to get admin rights, too.

So please, dear extension developer, assume that website editors a.k.a backend editors are not trustworthy! Validate their input, do plausibility checks!

TYPO3 admins might be considered as trustworthy as they are able to do anything anyway.

 

TYPO3 extension developers:
Remember one important rule: do not trust user input!

TYPO3 admins:
TYPO3 allows extensive configuration of what specific roles are allowed to do and what is disallowed. Use it! Only grant the least necessary rights that are really needed. Be careful with allowing HTML or TypoScript configuration for website editors.

Permalink | Trackback link
Tags:  TYPO3 Security Blog
Views: 0
  •  
  • 0 Comment(s)
  •  

Your comment

back

Categories

  • advisory(7)
  • book(1)
  • [-]database(1)
  • exploit(1)
  • hacks(2)
  • others(6)
  • PHP(1)
  • TYPO3(22)

Tag cloud