Project

General

Profile

Actions

Bug #19831

closed

Session fixation vulnerability in user authentication

Added by Marcus Krause about 15 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Must have
Assignee:
Category:
-
Target version:
-
Start date:
2009-01-15
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.0
PHP Version:
5.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

references TYPO3 Security Team OTRS issue #2008102610000015

Versions:
4.0 up to trunk (4.0, 4.1, 4.2, trunk)

Problem:
Session IDs are reused by TYPO3 even when they not yet exist in the db but are submitted by a client.

Solution:
Check if there's a session record in the database before using submitted session ids.

Provided by TYPO3 Security Team
(issue imported from #M10146)


Files

10146.diff (1.44 KB) 10146.diff Administrator Admin, 2009-01-15 06:12
10146_trunk_v1.diff (1.18 KB) 10146_trunk_v1.diff Administrator Admin, 2009-01-18 17:25

Related issues 7 (0 open7 closed)

Related to TYPO3 Core - Bug #19880: Patch 10146 in Version 4.2.4 does not work for me. None of the FE Sessions are beeing keptClosedMichael Stucki2009-01-21

Actions
Related to TYPO3 Core - Bug #19867: DB session records are only created when users authenticateClosedMichael Stucki2009-01-20

Actions
Related to TYPO3 Core - Bug #19879: after upgrade from 4.1.7 to 4.1.8 feusers and beusers have to clear there cookie cache before they can loginClosedHelmut Hummel2009-01-21

Actions
Related to TYPO3 Core - Bug #19874: Typo3 4.1.8: fe_session_data regression due to session fixation (bug 10146)ClosedMichael Stucki2009-01-21

Actions
Related to TYPO3 Core - Bug #19908: session fixation fix avoid BE loginClosedOliver Hader2009-01-25

Actions
Related to TYPO3 Core - Bug #20424: Built In shopping basket is not workingClosedBenni Mack2009-05-14

Actions
Related to TYPO3 Core - Bug #20290: Adding entries to recs[]-Array not workingClosedChristian Kuhn2009-04-07

Actions
Actions #1

Updated by Marcus Krause about 15 years ago

The first patch is for trunk only as it makes use of newly added function exec_SELECTcountRows(), the other one is for 4-0 up to 4-2 where the row counting is down the old way.

ready to be committed

Actions #2

Updated by Marcus Krause about 15 years ago

adding new patch 10146_trunk_v1.diff which replaces variablename $dbres by $count as requested by Francois

Actions #3

Updated by Ingmar Schlecht about 15 years ago

Committed to 4.0, 4.1, 4.2 and trunk.

Actions #4

Updated by Benni Mack over 5 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF