Fixed Potential security issue during install

Affected version
2.2

sixlxvi

Well-known member
I'm not sure if there's any likeliness of this ever happening but I figured I would post it just as a precaution.

I was at the administrator account creation page of a fresh 2.2 install in my test forum environment. I made a mistake (thanks to iCloud) of using a "strong" password for the account thinking iCloud would remember it and I wouldn't have to.

iCloud did not remember the password when I moved to the next step and I said "well that sucks" and hit the back button to see if I could give the account a new password. I was not able to change the password from there because the account was already created so trying to change the password on this page gave an error of "the username already exists and must be unique".

Then I tried being clever and hit the back button again, so now I'm back at the administrator account creation page of the install process. I figured I'd try a new username and a new password, essentially creating a second super administrator account before I even finished the whole install process. To my surprise, it worked.

Again, I'm not entirely sure if this would happen in the real world but it seems like an outside party might be able to create a second super admin account if you never finish the install process? Even if they did, maybe it wouldn't matter since it's a brand new forum / database. Just thought I'd bring it up anyway.
 

Mike

XenForo developer
Staff member
I don't really think I'd call this a security issue, especially as we have a sanity check that, if needed, recreates the install lock when certain actions are taken -- specifically, logging into the control panel -- so there wouldn't really be an "active" install without the lock file unless it was removed explicitly.

Saying that, we potentially do have some assumptions about there only being 1 user after the install, so it may be worth adding a sanity check here and erroring if we try to create a second user.
 

sixlxvi

Well-known member
I don't really think I'd call this a security issue, especially as we have a sanity check that, if needed, recreates the install lock when certain actions are taken -- specifically, logging into the control panel -- so there wouldn't really be an "active" install without the lock file unless it was removed explicitly.

Saying that, we potentially do have some assumptions about there only being 1 user after the install, so it may be worth adding a sanity check here and erroring if we try to create a second user.
I didn't really think it was a huge security issue either but I don't know enough about this stuff. I assumed I'm the only idiot that would ever encounter this so I thought I'd let you guys know anyway, lol.
 

XF Bug Bot

XenForo bug fixer bot
Staff member
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.0 RC2).

Change log:
If an initial user has already been created during the install process, redirect to the next step
There may be a delay before changes are rolled out to the XenForo Community.
 
Top