Bug #89937

Insecure Deserialization when knowing encryptionKey in Extbase

Added by Oliver Hader 11 months ago. Updated 8 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2019-12-13
Due date:
% Done:

100%

TYPO3 Version:
8
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Back-porting https://review.typo3.org/c/Packages/TYPO3.CMS/+/61223 might be the best way to do it.
However existing application might have use their own way in creating those requests with PHP's serialize - that's why


Related issues

Related to TYPO3 Core - Bug #89434: Action argument values will get lost on validation error Closed 2019-10-16

Associated revisions

Revision 57e4ed35 (diff)
Added by Oliver Hader 11 months ago

[SECURITY] Avoid possible insecure deserialization in Extbase

Albeit requests to Extbase's property mapper won't be processed
in case the required cryptographic hash is not given or invalid
(as HMAC-SHA1 on payload having TYPO3 encryptionKey as secret),
a leaked encryptionKey (e.g from backup files, pushed to public
repository by accident) would allow insecure deserialization.

TYPO3 v10 is using json_decode instead of unserialize which was
not feasible in existing LTS branches due to potential backward
compatibility side-effects.

Resolves: #89937
Releases: 9.5, 8.7
Security-Commit: f3bfe26b1286ed3639dfef38b1ce3cafcf2b2397
Security-Bulletin: TYPO3-PSA-2019-011
Change-Id: I95fb5998d4e9610d3458d25019f27ccb490a035e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62695
Tested-by: Oliver Hader <>
Reviewed-by: Oliver Hader <>

Revision b1626ad8 (diff)
Added by Oliver Hader 11 months ago

[SECURITY] Avoid possible insecure deserialization in Extbase

Albeit requests to Extbase's property mapper won't be processed
in case the required cryptographic hash is not given or invalid
(as HMAC-SHA1 on payload having TYPO3 encryptionKey as secret),
a leaked encryptionKey (e.g from backup files, pushed to public
repository by accident) would allow insecure deserialization.

TYPO3 v10 is using json_decode instead of unserialize which was
not feasible in existing LTS branches due to potential backward
compatibility side-effects.

Resolves: #89937
Releases: 9.5, 8.7
Security-Commit: 5d903ff53e49edef35fa8b97c0d42af021b36a52
Security-Bulletin: TYPO3-PSA-2019-011
Change-Id: I984464bfa99165d424d122a8d8e8c499197b386b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62702
Tested-by: Oliver Hader <>
Reviewed-by: Oliver Hader <>

History

#1 Updated by Gerrit Code Review 11 months ago

  • Status changed from New to Under Review

Patch set 1 for branch 9.5 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/c/Teams/Security/TYPO3v4-Core/+/62619

#2 Updated by Gerrit Code Review 11 months ago

Patch set 1 for branch TYPO3_8-7 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/c/Teams/Security/TYPO3v4-Core/+/62620

#3 Updated by Gerrit Code Review 11 months ago

Patch set 2 for branch 9.5 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/c/Teams/Security/TYPO3v4-Core/+/62619

#4 Updated by Gerrit Code Review 11 months ago

Patch set 2 for branch TYPO3_8-7 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/c/Teams/Security/TYPO3v4-Core/+/62620

#5 Updated by Gerrit Code Review 11 months ago

Patch set 3 for branch TYPO3_8-7 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/c/Teams/Security/TYPO3v4-Core/+/62620

#6 Updated by Gerrit Code Review 11 months ago

Patch set 3 for branch 9.5 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/c/Teams/Security/TYPO3v4-Core/+/62619

#7 Updated by Gerrit Code Review 11 months ago

Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62695

#8 Updated by Gerrit Code Review 11 months ago

Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62702

#9 Updated by Oliver Hader 11 months ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#10 Updated by Oliver Hader 9 months ago

  • Related to Bug #89434: Action argument values will get lost on validation error added

#11 Updated by Oliver Hader 9 months ago

  • Project changed from Core Security to TYPO3 Core
  • Category deleted (OW-A08: Insecure Deserialization)
  • Target version deleted (public)

#12 Updated by Benni Mack 8 months ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF