Bug #91396

Story #91384: Backend login and referrer problems after recent TYPO3 9.5.17 and 10.4.2 security fixes

Allow SSO authentication handlers to pass SSRF referrer checks

Added by Oliver Hader 5 months ago. Updated 5 months ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
Security
Target version:
Start date:
2020-05-14
Due date:
% Done:

100%

TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Scenario

Observation

  • request is actually correct
  • referrer is send - but with something "external" from /typo3/ (that the subject we want and must protect from being called directly)

Variations

  • cross-site
    • Referer: https://sso.example.org/auth
    • expected Referer: https://example.org/typo3/.+
  • same-site
    • Referer: https://example.org/?eID=auth
    • expected Referer: https://example.org/typo3/.+
  • same-origin (the regular case)
    • Referer: https://example.org/typo3/index.php?route=%2Flogin
    • expected Referer: https://example.org/typo3/.+

Related issues

Duplicated by TYPO3 Core - Bug #91414: After update from 9.5.16 to 9.5.17 I get an error 'Missing referrer for /main' in /typo3 Closed 2020-05-15

Associated revisions

Revision fbafe16c (diff)
Added by Oliver Hader 5 months ago

[BUGFIX] Allow multiple referrer types in backend main route

With TYPO3-CORE-SA-2020-006 (SSRF via XSS) a strict referrer handling
has been introduced to avoid the TYPO3 backend being called from other
non same-origin locations. In case a HTTP referrer header was empty
the system tried to refresh the view - otherwise the request was
denied completely.

It turned out that this scenario was probably too strict, disabling
feature `security.backend.enforceReferrer` was the only work-around
for site administrators.

This change adds new options for handling referrers in backend routes:
  • refresh-empty (existed already): refresh in case referrer is empty
  • refresh-same-site: refresh in case referrer is on same site, like
    `https://example.org/?eID=auth` calling `https://example.org/typo3/`
  • refresh-always: refresh always in case there is not valid referrer

TYPO3's main backend route is using `refresh-always` now to be more
relaxed on handling same-site and cross-site referrers as well.

The term "refreshing" relates to trigger a reload in the browser to
get the referrer of the current location. This still block direct
CSRF/SSRF requests since the refreshing HTML instructions are
delivered back to the client. Besides that, cross-site requests are
covered by the `same-site` cookie policy, and existing CSRF tokens.

Resolves: #91396
Releases: master, 9.5
Change-Id: Ib3756671fa60c6f41ba992d0e645f03da1730d19
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64492
Tested-by: Susanne Moog <>
Tested-by: TYPO3com <>
Tested-by: Richard Haeser <>
Reviewed-by: Susanne Moog <>
Reviewed-by: Richard Haeser <>

Revision 6d9e803c (diff)
Added by Oliver Hader 5 months ago

[BUGFIX] Allow multiple referrer types in backend main route

With TYPO3-CORE-SA-2020-006 (SSRF via XSS) a strict referrer handling
has been introduced to avoid the TYPO3 backend being called from other
non same-origin locations. In case a HTTP referrer header was empty
the system tried to refresh the view - otherwise the request was
denied completely.

It turned out that this scenario was probably too strict, disabling
feature `security.backend.enforceReferrer` was the only work-around
for site administrators.

This change adds new options for handling referrers in backend routes:
  • refresh-empty (existed already): refresh in case referrer is empty
  • refresh-same-site: refresh in case referrer is on same site, like
    `https://example.org/?eID=auth` calling `https://example.org/typo3/`
  • refresh-always: refresh always in case there is not valid referrer

TYPO3's main backend route is using `refresh-always` now to be more
relaxed on handling same-site and cross-site referrers as well.

The term "refreshing" relates to trigger a reload in the browser to
get the referrer of the current location. This still block direct
CSRF/SSRF requests since the refreshing HTML instructions are
delivered back to the client. Besides that, cross-site requests are
covered by the `same-site` cookie policy, and existing CSRF tokens.

Resolves: #91396
Releases: master, 9.5
Change-Id: Ib3756671fa60c6f41ba992d0e645f03da1730d19
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64499
Tested-by: TYPO3com <>
Tested-by: Oliver Hader <>
Reviewed-by: Oliver Hader <>

Revision 86b9b4a2 (diff)
Added by Oliver Hader 5 months ago

[BUGFIX] Allow referrer refresh in install tool

With TYPO3-CORE-SA-2020-006 (SSRF via XSS) a strict referrer handling
has been introduced to avoid the install tool being called from other
non same-origin locations. In case a HTTP referrer header was empty
the system tried to refresh the view - otherwise the request was
denied completely.

Changes of issue #91396 using refresh-always are applied as well.

Resolves: #91433
Related: #91396
Releases: master, 9.5
Change-Id: I2a570da4f2a933e709d653b54f1d53d5055ef3f7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64519
Tested-by: TYPO3com <>
Tested-by: Oliver Hader <>
Reviewed-by: Oliver Hader <>

Revision 8a137310 (diff)
Added by Oliver Hader 5 months ago

[BUGFIX] Allow referrer refresh in install tool

With TYPO3-CORE-SA-2020-006 (SSRF via XSS) a strict referrer handling
has been introduced to avoid the install tool being called from other
non same-origin locations. In case a HTTP referrer header was empty
the system tried to refresh the view - otherwise the request was
denied completely.

Changes of issue #91396 using refresh-always are applied as well.

Resolves: #91433
Related: #91396
Releases: master, 9.5
Change-Id: I2a570da4f2a933e709d653b54f1d53d5055ef3f7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64518
Tested-by: TYPO3com <>
Tested-by: Oliver Hader <>
Reviewed-by: Oliver Hader <>

History

#1 Updated by Oliver Hader 5 months ago

  • Description updated (diff)

#2 Updated by Oliver Hader 5 months ago

  • Status changed from New to Accepted
  • Target version set to 9.5.18 & 10.4.3

#3 Updated by Richard Haeser 5 months ago

We have exactly this scenario with the OpenID extension: friendsoftypo3/openid

#4 Updated by Gerrit Code Review 5 months ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64492

#5 Updated by Gerrit Code Review 5 months ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64492

#6 Updated by David Rellstab 5 months ago

Tested and verified the patch with our sso setup on TYPO3 9.5.17.

Patch resolves the issue for our use case.

#7 Updated by Gerrit Code Review 5 months ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64492

#8 Updated by Richard Haeser 5 months ago

  • Duplicated by Bug #91414: After update from 9.5.16 to 9.5.17 I get an error 'Missing referrer for /main' in /typo3 added

#9 Updated by Richard Haeser 5 months ago

  • Duplicated by Bug #91415: After Update from 9.5.14 to 9.5.17 - backend and installer login are not working added

#10 Updated by Richard Haeser 5 months ago

  • Duplicated by deleted (Bug #91415: After Update from 9.5.14 to 9.5.17 - backend and installer login are not working)

#11 Updated by Gerrit Code Review 5 months ago

Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64499

#12 Updated by Gerrit Code Review 5 months ago

Patch set 2 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64499

#13 Updated by Gerrit Code Review 5 months ago

Patch set 3 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64499

#14 Updated by Gerrit Code Review 5 months ago

Patch set 4 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64499

#15 Updated by Oliver Hader 5 months ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#16 Updated by Gerrit Code Review 5 months ago

  • Status changed from Resolved to Under Review

Patch set 5 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64499

#17 Updated by Oliver Hader 5 months ago

  • Status changed from Under Review to Resolved

#18 Updated by Benni Mack 5 months ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF