[#27262] - New user registration default group - remove high-privilege usergroups
- Closed
- 24 Feb 2020
- Medium
- Build: staging
- # 27262
Originally reported to JSST, moving over here:
Steps to reproduce the issue
- Enable user registration.
- Set group for new users to Super Users.
- Wait for some time.
- Find Spamers and Hackers as Super User.
Expected result
- No one should be able to register as Super User on registration.
Actual result
- Everyone can get complete access to the site, if someone by
mistake/idiocy/bad intention changes the setting to Super User.
Additional comments
This was seen on a site that had user registration disabled, but the
setting was to register new users as Super User. At some point someone
must have enabled user registration.
There were "only" around 5 Super Users that were in fact spamers that
had not realized their good luck. The server logs did not show any
further actions than creating the accounts and leaving user names with
internet addresses.
BUT
This could have been a major issue on other sites with more traffic or
regular attacks that are getting more and more these days.
Suggestion
To avoid this issue I would recommend to remove the possiblity to
register a new user as highly-privileged user by removing all appropriate groups (i.e. having the core.admin access right) from the select.
Further arguing for the case to remove the feature
From my experience Super Users are always set either from the registered
state to Super User or created in the backend by another Super User. So
this feature to allow this particular case to always create Super Users
on any registration from the frontend by any user who can access the
site, which is every person with a browser in this world, has almost no
use cases.
It is a very unlikely case that someone sets this on purpose for a good
reason, but it can happen through some stupid moment in time. Like
learning to use Joomla, testing everything and then building your page
on that already good looking "test" installation...
...or worse by a person who could gain access to a Super User account
for 30 seconds while someone was gone to fetch a coffee.
Later when no one is expected to watch the backend he can safely
register as a Super User.
| Labels |
Added:
J3 Issue
J4 Issue
|
||
joomla-cms-bot
- | Labels |
Added:
?
|
||
You can never protect against all 'stupidity', but that's not a reason not to protect against what you can.
@DavidBoggitt We can protect against the example I gave as well and its much more likely but we dont
I see no problems with this - if the webmaster is dumb enough to change the default registration group to super user then they either have a genuine reason for this or they need to learn their job as webmaster fast.
Most webmasters if they didn't know what this did would leave it as registered, and if they did they might have a genuine reason for doing so - like if the site is running on a private LAN for developing and they don't want the hassle of keep authorising super users into the super user list.
Whilst it may be true it's unlikely to happen, but it's like saying that we should put a guard to stop stuff from going near a blade on a chainsaw just because someone might cut their hand off with it.
You can protect against some things but sometimes if you start wrapping things up in cotton wool too much you start to become too restrictive
What would be the criteria as to which groups could not be used for a default usergroup?
It could not be based on the user group name or the user group id. It would have to be based on the permissions for that group and in that case what permissions?
I see no reason to restrict this.
It would have to be based on the permissions for that group and in that case what permissions?
I would suggest the global core.admin permission.
i've made a quick test, and you cannot register from frontend a new user as SuperUser even when this setting is in place
Set group for new users to Super Users.
there is already a check that prevent this https://github.com/joomla/joomla-cms/blob/staging/libraries/src/User/User.php#L791
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2019-12-21 09:40:32 |
| Closed_By | ⇒ | HLeithner |
BTW, "User not Super Administrator" should be translatable... and does not really represent the error here.
yes right.... it can be improved, it's not really easily understandable, plus the same test should be made on j4... my fault, still didn't have the time to do it on j4
thanks @infograf768 to cover my back....
so i'm considering this as it was a false negative issue
@brianteeman that's the question, we will give this feedback to the reporter.
The original report started with:
I wanted to raise an issue, but it is actually more a security concern.
So I think he / she didn't tested it before reporting his / her concern.
I will report back when I get an answer.
Hello,
I actually missed to give an information I wasn't aware at that time. The guest user group setting below the newly registered user group has to be set to super user too. The guest is then able to register as Super User.
could you please share a screenshot of that to avoid confusion
if you mean something like this screenshot
then you already lost the war because every site visitor is super user already and don't need to register...
This is the setting I am talking about. There is no need to change any arrangement for user groups if the guest is set to super user.
If the guest is super user he becomes super user at registration.
So if someone tries this setting while playing/learning on a live system there is a pretty good chance that a bot will be registering right in that moment even if the user is just testing that for an hour.
With the amount of attacks these days, I just think having a settings
- to give guests super user rights
- to register user as super user
should either be removed or it should get a red warning like the PHP version messages.
From my point of view there is no doubt that this is a very unlikely setting. But there is a risk.
And unlike my first thoughts, the main problem is not that someone can be registered as a super user, but that a guest user can be treated as super user. If the decision was on me, I would remove that possibility.
The register as super user function I would remove too, but if there are good arguments to keep it, a warning could reduce the security risk of keeping it enabled by mistake.
I can confirm that in the scenario tested by @alikon you can not register as a super user
I can confirm that in the scenario above from @StefanSTS you can register as a super user
I just see this issue was closed on 21st Dec 2019. I did not realize that before.
It was closed before the real issue was clearly understood. I still see this as a low security risk that should be addressed.
So for removing the option to be able to set guest users as Super User I request to open this issue again.
Quy
- | Status | Closed | ⇒ | New |
| Closed_Date | 2019-12-21 09:40:32 | ⇒ | |
| Closed_By | HLeithner | ⇒ |
Whilst it may be true it's unlikely to happen, but it's like saying that we should put a guard to stop stuff from going near a blade on a chainsaw just because someone might cut their hand off with it.
If you would like examples of cutting machines with guards to stop people cutting their hands off I can provide thousands of examples.
@alikon I tested the code on a 3.9.15 RC, it works as described. Thanks you.
There is still my concern that evolved from this super user registration issue.
Is there any intended use for the setting that the guest user can be super user?
Is anyone using that?
From my point of view there should be only:
Public
- Guest
- Registered
as an option for the guest user.
Are there any experience from other systems how it is handled there?
I guess my intial issue is solved, only in case the setting super user is removed later on for the guest user, this additional code would be redundant, so it might be a good idea to have a final decision on if it is to removed or if it will stay.
the reason for using the user plugin was : https://github.com/joomla/joomla-cms/blob/staging/libraries/src/User/User.php#L762-L765
// The only mandatory check is that only Super Admins can operate on other Super Admin accounts.
// To add additional business rules, use a user plugin and throw an Exception with onUserBeforeSave.
richard67
- | Status | New | ⇒ | Confirmed |
| Status | Confirmed | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-02-24 19:48:07 |
| Closed_By | ⇒ | alikon |
Can we really protect against all "stupidity"?
For example we don't prevent someone from being able to create content at the front end as a guest with all filters disabled and the ability to upload images etc.