This is a really interesting 'security hole', but it can only be exploited under certain circumstances, and since it's not a true code security hole, can be reported here in the bug tracker.
Alright, here is the scenario.
Using a Beta3 install, I created three users:
[list]
[*] Highway of Life
[/*:m][*] Group Admin
[*] Admin Wannabe
[/*:m][/list:u]
Highway of Life is a Founder
Group Admin was given Admin permissions: "Manage Groups", and that's it.
Admin Wannabe is a regular user.
Logging in as Group Admin,
I went to the ACP, the only thing I can perform there is manage groups.
Go to Administrators group > Manage Users
Added Group Admin and Admin Wannabe to the Administrators group, set to default group and group leader (for both).
Instantly, I (Group Admin) have full Administrator Permissions to do whatever I want!! And now, Admin Wannabe also has Full Administrator permissions, just short of being a complete Founder.
There are several solutions to this problem,
But some thought needs to be used, because you could potentially leave another loophole.
[list=1]
[*] You could just protect the Administrator group.
[/*:m][*] You could add an extra Users/Groups Permission filter
[*] You could add a radio or pair of checkboxes to "Founder Manage Only" or "Group Leader Manage Only".
[/*:m][/list:o]
I'll have to give this more thought as to the best method of solution.
Bug tracker
Security Hole with Manage Group Admin Permission (fix completed in vcs)
Comments / History
Posted by Martin Blank on Nov 16th 2006, 01:22
It strikes me that this has already been reported and was discussed at length.
Yep. Here it is: http://area51.phpbb.com/phpBB/viewtopic ... =4&t=23663
Yep. Here it is: http://area51.phpbb.com/phpBB/viewtopic ... =4&t=23663
Posted by Highway of Life (QA Team) on Nov 16th 2006, 09:57
Ah yes... I remember that from long ago.
But that discussion turned into a 'feature request'.
I'm reporting a bug as a 'security loophole'.
A way for a simple Admin to turn himself into a full-blown Administrator... that person could really wreak some havoc.
But that discussion turned into a 'feature request'.
I'm reporting a bug as a 'security loophole'.
A way for a simple Admin to turn himself into a full-blown Administrator... that person could really wreak some havoc.
Posted by Acyd Burn (Server Manager) on Nov 16th 2006, 10:50
This is not a security hole at all. You should not give these permissions to people you do not trust, or would you also give database backup permission to a person you do not trust? If you want a person to manage one group, just assign him/her to be the leader, then he/she can manage the group through the ucp.
We simply are not able to distinguish permissions on the level of priority or impact - the only thing i will look into is making sure there are no default permissions set for the roles.
We simply are not able to distinguish permissions on the level of priority or impact - the only thing i will look into is making sure there are no default permissions set for the roles.
Posted by Highway of Life (QA Team) on Nov 16th 2006, 11:43
Meik,
I understand what you are saying, and I considered that thought process and thought of that solution as well, but it is logical to make a person group leader for x-number of groups if there are many to manage, and if that person does not need to be group leader over all of them.
But as many circumstances as are possible, it seemed prudent to cover something like the Admin group from outside entry by someone other than the Founder.
I know you guys are probably set on not implementing this, but I wanted to give the option incase you change your mind.
I've tested a method (which worked) in which it would be easy to cover this.
As I mentioned above, you could make a checkbox to allow the Founder to set a group (any group) to be Managed Admin side by Founder only -- this would still allow a member who is a group leader over the that group to still manage it from his UCP, but this just blocks unwanted access for those that might have the manage groups admin permission.
on line ~57 in the "Grab basic data for group, if group_id is set and exists.
Add:
It's not that big of a deal for me, as I can always MOD it in... Just thought I should bring it up.
I understand what you are saying, and I considered that thought process and thought of that solution as well, but it is logical to make a person group leader for x-number of groups if there are many to manage, and if that person does not need to be group leader over all of them.
But as many circumstances as are possible, it seemed prudent to cover something like the Admin group from outside entry by someone other than the Founder.
I know you guys are probably set on not implementing this, but I wanted to give the option incase you change your mind.
I've tested a method (which worked) in which it would be easy to cover this.
As I mentioned above, you could make a checkbox to allow the Founder to set a group (any group) to be Managed Admin side by Founder only -- this would still allow a member who is a group leader over the that group to still manage it from his UCP, but this just blocks unwanted access for those that might have the manage groups admin permission.
on line ~57 in the "Grab basic data for group, if group_id is set and exists.
Add:
- Code: Select all
// Let's spoil the fun for someone who has higher aspirations then they should have...
if ($user->data['user_type'] != USER_FOUNDER && $group_row['group_founder_manage'] == 1)
{
trigger_error($user->lang['NOT_ALLOWED'] . adm_back_link($this->u_action), E_USER_WARNING);
}
It's not that big of a deal for me, as I can always MOD it in... Just thought I should bring it up.
Posted by Acyd Burn (Server Manager) on Nov 16th 2006, 12:06
Erm, what if the person sets the default bit? The group leader bit only has something to say about the ability to add/remove (and default) users to a certain group. The group leader gains no special permissions from being a group leader.
Posted by Highway of Life (QA Team) on Nov 16th 2006, 12:13
I'm not sure I quite understood. 
(re: default bit)
The code above would only be used in the ACP, so the group leader can still manage (settings, add/remove, approve, etc.) his group regardless, from the UCP.
It's only restricted in the ACP.
(re: default bit)The code above would only be used in the ACP, so the group leader can still manage (settings, add/remove, approve, etc.) his group regardless, from the UCP.
It's only restricted in the ACP.
Posted by Acyd Burn (Server Manager) on Nov 16th 2006, 12:43
I understood you in the way that you wanted to limit the person having acp group access setting a group leader. But the person does not need to be a group leader to get administrative access, he just needs to set the administrators group being his default group.
Posted by Acyd Burn (Server Manager) on Nov 16th 2006, 12:43
and also remove itself from any group having never permission.
