Possible Security Issue?

  • Hi,

    Love the plugin. Just one thing that I am a little concerned about, and forgive me because I am not a coder at all. The thing is that sometimes when I log out after a switch, on the login page there is the box that says “switch back to” the original admin right above the login. Then I can bypass the login completely by clicking on it without a user name or password.

    I understand that I should probably logout after I have switched back to admin to prevent this, but I would like to give end users access to my site, and am concerned that they would not follow proper protocol or the idle user logout would make them think they were safe. This seems to present a possible security issue.

    I’m guessing that it wouldn’t be too hard to make sure this doesn’t happen, but like I said, I don’t know code. Is there a snippet I can use or some way to prevent this from showing up above the login box?

    Thank you for the great plugin.

    Regards,

    Michael

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author John Blackbourn

    (@johnbillion)

    WordPress Core Developer

    Hi Michael,

    User Switching’s cookies should get cleared from your browser at the point when you log out, meaning the “Switch back” option should not be available.

    Is there anything irregular about your website which might prevent this? For example, does the admin area or login screen use a different domain name to the site? Is WordPress installed in an unusual location? Are you using multisite with an unusual configuration?

    John

    Thread Starter mjmccarr1

    (@mjmccarr1)

    John,

    Thanks for responding so quickly. I don’t think there is anything particularly unusual, and I’m not using multisite. I’m at a loss. Can I hire you to figure it out for me? I really need to use the plugin, but obviously need to get this fixed before it is safe for me. I don’t code at all. Thanks.

    Michael

    Plugin Author John Blackbourn

    (@johnbillion)

    WordPress Core Developer

    Can you send a list of the active plugins on your site please? There may be a conflict.

    I’m not available for hire, sorry.

    John

    Thread Starter mjmccarr1

    (@mjmccarr1)

    John,

    I understand. Thank you for following up on this.

    I use WP Hide Login, so the random login I made ended up being:
    https://denverimmigrationdefnse.com/83459871049587alkuhgdlkjhdq9384750r987

    I don’t know where i go this URL but I have been using it as logout:

    https://denverimmigrationdefense.com/83459871049587alkuhgdlkjhdq9384750r987/?action=logout&_wpnonce=e0d75aae94

    I disabled WP login, but that didn’t help.

    My plugin list is below:

    404-page
    Admin Columns
    Admin Menu Editor Pro
    Advance Database Cleaner
    All in One SEO Pack
    Autoptomize
    Bulk Actions Pro for Gravity Forms
    Coming Soon Page and Maintenance Mode by Seed Prod
    Custom Dashbord Page
    Custom Login Image
    Disable WP registration Page
    Facebook Pixel for WP
    Force Strong Passwords
    GP Conditional Logic Dates
    GP Copy Cat
    GP Multi Page Form Navigation
    GP Preview Submission
    GP Wordcount
    Gravity Forms
    Gravity Forms Data Persistence Add On Reloaded
    Gravity Perks
    Hide This
    Image Recycle PDF and Image Compression
    Members
    Personal Admin Footer
    Peter’s Login Redirect
    Progress Bar
    Redirection
    Remember Me Controls
    Remove Help Tab and Screen Option
    Remove Query Strings from Static Resources
    Simple Page Ordering
    SP Client Document AES Security
    SP Client Document Manager Batch Operations
    SP Client Document Manager Premium
    SP Project and Document Manager
    User Last Login
    User Shortcodes
    User Switching
    Video Popup
    Wordpress Toolbar Editor
    WP Better Emails
    WPS HIde Login

    Thanks again!

    Michael

    Thread Starter mjmccarr1

    (@mjmccarr1)

    John,

    I don’t see how this could be a plugin conflict – especially since I deactivated most all of my plugins to see. Did you see anything in the list? Also, I’m not sure why your plugin would ever permit someone to log in without a password. Isn’t the idea that you switch users once logged in? So I’m having a hard time understanding why there should be a bypass password feature for logged out users. I was reading more about the switch off feature and it seems to just be a security vulnerability without any added benefit. I really want to get this working for me, because I love the functionality of the plugin and want to use it on my site. Is there someone else you can recommend to me that might have experience working with your plugin to help me fix this problem since you are not available for custom work?

    Thank you for your time in responding to my concerns,

    Michael

    Plugin Author John Blackbourn

    (@johnbillion)

    WordPress Core Developer

    I’ve not looked at your list of plugins yet, but here’s some info to alleviate your security concerns in your second message:

    The ability to switch back in without using a password uses the same underlying authentication mechanism that WordPress uses to determine that you’re logged in. You need to first be logged in as a privileged user (ie. a user with the ability to edit other users) in order to be able to switch off. When you do switch off, an authentication cookie is set which tells User Switching that the current “user” has permission to switch back to the user they switched from.

    It’s not possible to simply visit the login screen and be presented with the option of logging in without a password. You must have switched from a previous user and your browser must have a corresponding and valid authentication cookie, which is validated using the built-in authentication mechanisms in WordPress.

    Hope that clarifies things.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Possible Security Issue?’ is closed to new replies.