We have a new release of our plugin master user, version 2.1.4. This should be considered a security release, and users are advised to update. The issue affects only sites that use Joomla 3.4, Sites using earlier versions of Joomla are not vulnerable, but it would be a good idea to update the plugin anyway, in case you update your site later and forget to update the plugin.
What is the issue?
The plugin allows selected “master” users to log in as another user using their own password. This can be a useful feature for testing what your site looks like to another user or if you do need to do some action on behalf of another user, for example, to place an order on your site for a customer.
Naturally, if you are using the plugin, you have to be quite careful about which users the master users should be able to log in as. Normally you would not want them to be able to log in as a super user for example. Therefore, the plugin allows you to select which groups the master user cannot log in as, if none are selected in the plugin options, it should by default use groups 7 and 8, the administrator and super-administrator groups. This all worked fine until Joomla 3.4, but unfortunately, there is a change in the way that the latest Joomla versions allow you to specify default options. These groups were being left blank by default, rather than being set at 7 and 8. If, for some reason, you cannot update your version of the plugin, you can actually fix the issue yourself by setting the “Restricted User Groups” option explicitly, which will usually be to “Administrator” and “Super-Users”.
What is the danger?
Probably none on most sites. Only users who are also assigned as master users can exploit the issue. One would expect that they would be a super user already on most sites, so it is not going to make a practical difference. The issue certainly does not allow an ordinary user to log in as an administrator. However it would make a difference if you had the scenario where the master user had lower permissions, was perhaps only an administrator or a manager: then they could exploit this to log in as a super user, so in this case it must be considered a security issue.