[#34667] - Two Factor Authentication Administrator only work around
- Closed
- 15 Aug 2022
- Medium
- Build: staging
- # 34667
Steps to reproduce the issue
Activate Two Factor Authentication - Google Authenticator, set it to Administrator (Backend) and activate for your user.
Activate Shared Sessions in Global Configuration > System > Session.
Log out everywhere.
Try to log to backend: Asks Secret Key.
Try to log to frontend: Asks nothing and you can log in.
Go to administrator and access the control pane without providing a secret key.
Expected result
You should not access administrator without providing the secret key.
Actual result
You can bypass the secret key.
Additional comments
In my opinion the best solution would be to ask the secret key before qualifying your session to access Administrator then keep the shared session.
Another accepted solution is to disable shared session and inform in the control panel that it doesn't work in this specific scenario.
I am referring to 4.0 RC3 but I suspect J3 has the same issue
joomla-cms-bot
- | Labels |
Added:
?
|
||
I think that issue is about the aesthetic of invalid Secret Key, whereas this issue present a potential security problem which is a way to bypass the submission of a valid Secret Key and still use the Administrator panel.
As Joomla 4.2 now has a captive login option I believe this is resolved.
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2022-08-15 08:57:53 |
| Closed_By | ⇒ | alikon | |
| Labels |
Added:
No Code Attached Yet
Removed: ? |
||
if not it could be reopened
Duplicate #31204?