1
jayjay
security bug in control panel
  • 2004/2/4 14:24

  • jayjay

  • Not too shy to talk

  • Posts: 175

  • Since: 2003/9/10


Hi everyone!

I found a rather bad security issue in the administration menu. On my site I have denied access to the system admin module for the group originally called "webmasters". I renamed that group to "moderators" and then made a new group called "webmasters", which has full access to the site. I had to do this to make full use of the phpwiki module.

Anyway, the thing is that although my "moderators" group has no rights to the system admin module, this module can still be accessed by simply typing "http://www.my-url.com/modules/system/admin.php". The module button doesn't pop up however.

Has anyone else experienced this? Can this security issue be solved?

PS: I'm using XOOPS 2.0.5.2

Greets

2
Mithrandir
Re: security bug in control panel

I don't follow why you had to change the original webmaster usergroup - but I haven't used phpwiki, so might just be me.

Some things are hard-coded, such as the define("XOOPS_GROUP_ADMIN", "1");
define("XOOPS_GROUP_USERS", "2"); define("XOOPS_GROUP_ANONYMOUS", "3");

in the mainfile.php.

This has helped a lot of people, who accidently removed system admin access to the webmasters group and thus saw the Administration Menu link disappear from their user menu. By typing the direct url to the admin module, members of the (original) webmaster group can then resolve the problem without having to reinstall XOOPS.

I guess that can be changed if you really want... but I'd rather do something about that phpwiki module.

3
Dave_L
Re: security bug in control panel
  • 2004/2/4 15:50

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


Hmmmm .... if the webmasters group (group #1) has hardcoded admin access, then it's misleading if the user interface appears to let you disable that access without really disabling it. I'd call that a bug.

I had asked about this in an earlier post, but never got a definitive answer.

4
Mithrandir
Re: security bug in control panel

It's a misleading back-door, which should be documented, yes. Agreed.

5
jayjay
Re: security bug in control panel
  • 2004/2/6 7:20

  • jayjay

  • Not too shy to talk

  • Posts: 175

  • Since: 2003/9/10


Hi Mithrandir and Dave_l,

Thanks for replying! I agree that this recovery 'feature' should be better documented. I admit however that my method of restricting access to the original 'webmasters' group is a bit unorthodox.

I needed it to give moderators the chance of editing pages in my wiki, but restrict their access to other parts of the site. The phpwiki module now sees my moderators as 'admins'. It was the fastest and easiest way of doing this, without touching too much wiki code.

Bye!

6
jayjay
Re: security bug in control panel
  • 2004/2/6 7:27

  • jayjay

  • Not too shy to talk

  • Posts: 175

  • Since: 2003/9/10


Quote:
I guess that can be changed if you really want... but I'd rather do something about that phpwiki module.


Hi mithrandir,

I'd rather have this backdoor removed from xoops. What changes would I have to make?

Also, wouldn't it be safer to make XOOPS create a "god" user when installing?

Greets

7
Mithrandir
Re: security bug in control panel

Quote:

jayjay wrote:
Quote:
I guess that can be changed if you really want... but I'd rather do something about that phpwiki module.


Hi mithrandir,

I'd rather have this backdoor removed from xoops. What changes would I have to make?

Also, wouldn't it be safer to make XOOPS create a "god" user when installing?

Greets

I guess, you can remove a lot of it by editing mainfile.php and remove the line which defines webmasters as usergroup 1.

God user? Isn't that what you have got? I still have absolutely no clue as to, why you had to strip down the webmaster group permissions instead of just creating a new group to moderate the wiki.

8
jayjay
Re: security bug in control panel
  • 2004/2/6 12:32

  • jayjay

  • Not too shy to talk

  • Posts: 175

  • Since: 2003/9/10


What I mean by "god user" is a predefined user that has access rights to every part of the site and whose rights cannot be changed. This means uncareful webmasters can't should themselves out (as long as they remember their password )

I'll try to explain the phpwiki issue again: in order to give people write access to the phpwiki module, they must be in the 'webmasters' group. You can't modify the wiki as a normal XOOPS 'user'.

However I don't want to give the wiki moderators access to the entire site. That's why I restricted access rights for the original 'webmasters' group, renamed it to 'moderators' and made a new 'webmasters' group.

PS: I think deleting the entry for the admin group in mainfile.php will make it impossible to edit my wiki, because users in that group won't be recognized as "admins" anymore.

Login

Who's Online

291 user(s) are online (185 user(s) are browsing Support Forums)


Members: 0


Guests: 291


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits