Task #106345
open
Sign extbase __identity field value with HMAC
0%
Description
It is documented in the Security Guidelines, that the extbase __identity field can be manipulated. In order to prevent identity field manipulation, a HMAC should be appended to the field value.
Updated by Torben Hansen 6 days ago
- Subject changed from Sign extbase __identity field with HMAC to Sign extbase __identity field value with HMAC
Updated by Gerrit Code Review 6 days ago
- Status changed from New to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/88543
Updated by Gerrit Code Review 6 days ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/88543
Updated by Gerrit Code Review 6 days ago
Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/88543
Updated by Helmut Hummel 5 days ago
Here are the reasons, why I think the proposed approach (HMAC) is deceptive:
- Protecting __identity only, leaves all cases where the PersistentObjectConverter converts an object from a string/int unprotected
- HMAC is a fixed value and it is always publicly exposed (that is how it is designed). Once it is leaked, it can be reused an unlimited amount of times.
- HAMC conceptually is not enough to protect from "Broken Object Level Authorization (BOLA)", exactly because of the reasons above. Therefore such change will not allow developers to skip the check for object access permissions
In sum: it is deceptive, because it actually does make manipulation less accessible on the one hand, but still leaves the door wide open for multiple other attack vectors, which can not be fixed with the concept of using a HMAC