Loading...
 

6.7 LTS: Possible security threat: Logging into Wiki A as admin may raise your privilege level in Wiki B

Trackers Items
Status
Open
Subject
6.7 LTS: Possible security threat: Logging into Wiki A as admin may raise your privilege level in Wiki B
Version
6.x
Category
  • Error
  • Feature request
Feature
Administration
User Administration (Registration, Login & Banning)
Installer (profiles, upgrades and server-related issues)
Performance / Speed / Load / Compression / Cache
Submitted by
hman
Lastmod by
hman
Rating
(0)
Description

I looked if something like this has been reported previously, but didn't find something that completely fits, so I post this and apologize if I missed something.

Since I have already put some detail into a support request and at the moment I believe it only concerns two Wikis belonging to the same admin, here is a description:

Steps to reproduce:
1) Take any Tiki installation and move a new directory
2) Create a new DB with a copy of the original DB
3) Upgrade and start it up
4) Log into the old installation as admin
5) Find out you're admin on the new one, too.

It may well be that for some admins this is a wanted behaviour like as a single-sign-on (SSO).

But it is my firm belief that any such behaviour is to be considerd a breach of security unless both admins have expressley activated this as a wanted behaviour. Possibly the problem also exists if two different admins operate two different Tikis on the same hosted volume, that somehow were created from one single predecessor, so maybe this is not as harmless as it might seem to be.

I do not know, but suspect, this could be a cookie issue.

Resolution could be that tiki-installer regenerates all security structures upon installation and/or upgrades, or at least asks the admin whether such should be reset. Also, there should be a button in the administration panel to reset this at any later time. In my opinion TikiWiki should at all times, if not told to behave otherwise, protect its instance against all other possible instances of itself...

At some point confusion may get so high to a user's browser that logging into Wiki B alone will not function, and you have to log into Wiki A to be able to access Wiki B. At the moment I experience this with my new 6.7 LTS and my old 1.9.8.3. sitting in different directories on the same volume, accessing to different MySQL DBs with differing user names and passwords...

Importance
7
Easy to solve?
6
Priority
42
Demonstrate Bug (Tiki 19+)
Please demonstrate your bug on show2.tiki.org
 About show2.tiki.org

To help developers solve the bug, we kindly request that you demonstrate your bug on a show2.tiki.org instance. To start, simply select a version and click on "Create show2.tiki.org instance". Once the instance is ready (in a minute or two), as indicated in the status window below, you can then access that instance, login (the initial admin username/password is "admin") and configure the Tiki to demonstrate your bug. Priority will be given to bugs that have been demonstrated on show2.tiki.org.

Version: Create show2.tiki.org instance
Ticket ID
4229
Created
Monday 21 May, 2012 12:48:01 GMT-0000
by hman
LastModif
Friday 01 June, 2012 22:14:25 GMT-0000

Attachments

 filenamecreatedhitscommentversionfiletype 
No attachments for this item


Keywords

The following is a list of keywords that should serve as hubs for navigation within the Tiki development and should correspond to documentation keywords.

Each feature in Tiki has a wiki page which regroups all the bugs, requests for enhancements, etc. It is somewhat a form of wiki-based project management. You can also express your interest in a feature by adding it to your profile. You can also try out the Dynamic filter.

Accessibility (WAI & 508)
Accounting
Administration
Ajax
Articles & Submissions
Backlinks
Banner
Batch
BigBlueButton audio/video/chat/screensharing
Blog
Bookmark
Browser Compatibility
Calendar
Category
Chat
Comment
Communication Center
Consistency
Contacts Address book
Contact us
Content template
Contribution
Cookie
Copyright
Credits
Custom Home (and Group Home Page)
Database MySQL - MyISAM
Database MySQL - InnoDB
Date and Time
Debugger Console
Diagram
Directory (of hyperlinks)
Documentation link from Tiki to doc.tiki.org (Help System)
Docs
DogFood
Draw -superseded by Diagram
Dynamic Content
Preferences
Dynamic Variable
External Authentication
FAQ
Featured links
Feeds (RSS)
File Gallery
Forum
Friendship Network (Community)
Gantt
Group
Groupmail
Help
History
Hotword
HTML Page
i18n (Multilingual, l10n, Babelfish)
Image Gallery
Import-Export
Install
Integrator
Interoperability
Inter-User Messages
InterTiki
jQuery
Kaltura video management
Karma
Live Support
Logs (system & action)
Lost edit protection
Mail-in
Map
Menu
Meta Tag
Missing features
Visual Mapping
Mobile
Mods
Modules
MultiTiki
MyTiki
Newsletter
Notepad
OS independence (Non-Linux, Windows/IIS, Mac, BSD)
Organic Groups (Self-managed Teams)
Packages
Payment
PDF
Performance Speed / Load / Compression / Cache
Permission
Poll
Profiles
Quiz
Rating
Realname
Report
Revision Approval
Scheduler
Score
Search engine optimization (SEO)
Search
Security
Semantic links
Share
Shopping Cart
Shoutbox
Site Identity
Slideshow
Smarty Template
Social Networking
Spam protection (Anti-bot CATPCHA)
Spellcheck
Spreadsheet
Staging and Approval
Stats
Survey
Syntax Highlighter (Codemirror)
Tablesorter
Tags
Task
Tell a Friend
Terms and Conditions
Theme
TikiTests
Federated Timesheets
Token Access
Toolbar (Quicktags)
Tours
Trackers
TRIM
User Administration
User Files
User Menu
Watch
Webmail and Groupmail
WebServices
Wiki History, page rename, etc
Wiki plugins extends basic syntax
Wiki syntax text area, parser, etc
Wiki structure (book and table of content)
Workspace and perspectives
WYSIWTSN
WYSIWYCA
WYSIWYG
XMLRPC
XMPP




Useful Tools