#5079 - Add additional admin session security / confirmation for sensitive member actions

By PDStig
Added 26th Nov 2022, 4:56 PM
5 views

Identifier	#5079
Issue type	Feature request or suggestion
Title	Add additional admin session security / confirmation for sensitive member actions
Status	Completed
Tags	Roadmap: v11 (custom) Type: Security (custom)
Handling member	Chris Graham
Addon	core
Description	There are a few actions for which I believe should have enhanced security (due to laws governing GDPR, privacy, and data breaches) / require a confirmed admin session regardless of the admin zone settings, namely actions that could either modify or leak potentially sensitive information about members: * Editing a member's username, password, e-mail, phone number, or credit card information * Deleting a member * Deleting lurkers * Merging a member (which involves deleting a member) * Exporting members (especially since potentially sensitive information including hashed passwords are / can be included in the export) * Running the Purge or Download action on privacy * Any / all screens which display a member's IP address or other identifiable information
Steps to reproduce
Funded?	No

The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".

Rating

Unrated

Comments

By Guest posted 28th Nov 2022, 10:05 AM

Patrick and I have discussed, and this basically is happening already in the sense sessions must be confirmed to use the Admin Zone or to edit/delete members. I am going to clean up that code a bit though as it's not formalised enough IMO.
However, through discussion with Patrick some more specific ideas came up, so I'll post these as new issues.

By Guest posted 28th Nov 2022, 12:26 PM

The more I thought about this, the more I realised it is a thorny issue to do anything radical and yet there were some tweaks we could do that got us to a similar place, effectively.

Problems:
1) It would be slavish to forcibly give member detail lookup more security than say, the zone editor, or anything that could cause massive havoc to totally destroy a site.
2) ... so we'd need proper configurability. But trying to implement a way of manually configuring different kind of session confirmation timeouts for different areas would be like creating an entirely new parallel privileges system, a massive effort.
3) It's a lot easier said than done forcing re-login. What if login is automatic via LDAP? What if it is through oAuth? What if login is 2FA (looking ahead here), do we force a full 2FA step to do stuff? Does that become configurable?

So instead, I think it's best to just bolster the existing system of forcing confirmed sessions and applying reasonable privileges.

I made these main changes:
1) Forced "view_any_profile_field" for member export (i.e. on top of normal Admin Zone access)
2) Forced "member_maintenance" for member import (FYI "assume_any_member" was already needed for importing usergroup changes)
3) Adjusted the Setup Wizard's high security profile to timeout sessions in 20 mins, and medium to 1 hour (which is the default pre-Setup Wizard anyway); this reduces the core issue of an admin confirming a session and then leaving their desk long enough for a sneak to mess with their machine
4) Only put password in exported spreadsheet if "assume_any_member" privilege
5) Fix session confirmation requirement for member account editing/deleting (was broken!)
6) Prevent AJAX scripts (etc) from bumping session timeout; we don't want an admin's machine to be left on and the notification poller (for example) to keep the session alive forever
7) Changed viewing member e-mail addresses to use the view_any_profile_field privilege not the member_maintenance privilege (for consistency)