Bug #24456

Information disclosure during backend login

Added by Helmut Hummel about 10 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
-
Target version:
Start date:
2011-01-03
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
4.2
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

In case a wrong username is submitted other HTTP headers are sent, than
in case only the password is wrong. This provides an attacker more
information than intended.

I tracked down this problem to the various session_start() calls, which
also send HTTP headers by default. If the submitted username exists, a
php session is started to get the challange out of the session
(compareUident()). This sends out some HTTP headers which will then
partly be overridden by header() calls (sendNoCacheHeaders()) with the
same HTTP headers (both happening in t3lib_userauth).

OTRS: 2011010210000017
Reporter: Sebastian Schinzel
(issue imported from #M16894)


Files

16894_trunk.diff (616 Bytes) 16894_trunk.diff Administrator Admin, 2011-01-03 00:52
24456_42.patch (545 Bytes) 24456_42.patch Updated patch Oliver Hader, 2011-04-28 22:23
24456_v2.diff (1.04 KB) 24456_v2.diff Helmut Hummel, 2011-07-13 23:27
24456_43.patch (1.02 KB) 24456_43.patch Oliver Hader, 2011-07-22 16:08
24456_44.patch (1.02 KB) 24456_44.patch Oliver Hader, 2011-07-22 16:08
24456_45.patch (1.01 KB) 24456_45.patch Oliver Hader, 2011-07-22 16:08
24456_46.patch (1.03 KB) 24456_46.patch Oliver Hader, 2011-07-22 16:08

Related issues

Related to TYPO3 Core - Bug #29274: Regression on session handling for security fixClosedHelmut Hummel2011-08-26

Actions
Related to TYPO3 Core - Bug #28948: Session is always startedClosed2011-08-12

Actions
Related to TYPO3 Core - Bug #28900: All links have Parameter PHPSESSID at first load of website URLClosedManfred Langhammer2011-08-10

Actions
Related to TYPO3 Core - Bug #28694: PHP Warning: session_start()Closed2011-08-03

Actions
#1

Updated by Oliver Hader almost 10 years ago

#2

Updated by Oliver Hader almost 10 years ago

  • Status changed from New to Under Review
#3

Updated by Michael Stucki almost 10 years ago

  • Target version deleted (1076)
#4

Updated by Helmut Hummel over 9 years ago

  • Target version set to 4.5.4
#5

Updated by Helmut Hummel over 9 years ago

This patch fixes the issue and makes login possible with phpmyadmin enabled

#7

Updated by Marcus Krause over 9 years ago

  • Has patch changed from No to Yes

Mentioned in Bulletin

#8

Updated by Anonymous over 9 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#9

Updated by Helmut Hummel over 9 years ago

  • Project changed from Core Security to TYPO3 Core
#10

Updated by Riccardo De Contardi over 3 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF