Bug #22030
closed
Authentication Bypass in frontend user authentication (sysext:saltedpasswords)
0%
Description
Knowing a salted hashed password is sufficient to authenticate a Frontend user when using activated sytem extension saltedpassword in the frontend.
Copy a salted hashed password from a FE user record. Make a login attempt with username and this copied salted password hash.
Due to regularily dealing with SQL Injection issues, we obviously want to prevent such bypassing.
Reported by Sven Haertwig
Vulnerable TYPO3 Core versions: 4.3.0, 4.3.1
TYPO3 Security OTRS X-Reference: #2010013010000011
(issue imported from #M13372)
Files
Updated by Marcus Krause about 14 years ago
(Initial) patch introduces a new variable in saltedpassword's service class that overwrites extension configuration variable "onlyAuthService".
Using the extension configuration variable "onlyAuthService", you can decide if further authentication methods should be tried in case authentication fails.
The new to be introduced behaviour:
If we clearly identify a salted hashed password in the database user record and authentication fails, there's no sense to try another authentication method. We are overwriting whatever is set in "onlyAuthService" and return a code "0" that stops further authentication tries.
Updated by Dmitry Dulepov about 14 years ago
I attached a patch with the renamed variable. I do not insist on renaming but I think it is more clear this way.
+1 to the patch by testing and reading.
Updated by Dmitry Dulepov about 14 years ago
Hm. Mantis renamed my file to just "v2.diff" (stripped bug number).
Updated by Oliver Hader about 14 years ago
- TYPO3_4-3 (rev. 6980)
- Trunk (rev. 6979)
Updated by Helmut Hummel about 8 years ago
- Project changed from 1716 to TYPO3 Core
- Description updated (diff)
- Category deleted (
Communication) - Target version deleted (
-1) - Is Regression set to No