Bug #91396
closed
Story #91384: Backend login and referrer problems after recent TYPO3 9.5.17 and 10.4.2 security fixes
Allow SSO authentication handlers to pass SSRF referrer checks
100%
Description
Scenario
- https://sso.example.org/auth used to authenticate
- https://example.org/?eID=auth used for session transfer/activation (or similar technique, invoking a "callback")
- request header
Referer: https://sso.example.org/auth - response header
Location: https://example.org/typo3/
- request header
- https://example.org/typo3/ as redirect
- request header
Referer: https://sso.example.org/auth(still the external SSO, since redirected viaLocation:headers) - response header
Location: http://example/typo3/index.php?route=%2Fmain&token=1ed543d6ba3594722a69a1969abc15046631d7a5
- request header
- http://example/typo3/index.php?route=%2Fmain&token=1ed543d6ba3594722a69a1969abc15046631d7a5 checking the referrer
- request header
Referer: https://sso.example.org/auth(still the external SSO, since redirected viaLocation:headers)
- request header
Observation
- request is actually correct
- referrer is send - but with something "external" from
/typo3/(that the subject we want and must protect from being called directly)
Variations
- cross-site
Referer: https://sso.example.org/auth- expected
Referer: https://example.org/typo3/.+
- same-site
Referer: https://example.org/?eID=auth- expected
Referer: https://example.org/typo3/.+
- same-origin (the regular case)
Referer: https://example.org/typo3/index.php?route=%2Flogin- expected
Referer: https://example.org/typo3/.+
Updated by Oliver Hader over 4 years ago
- Status changed from New to Accepted
- Target version set to 9.5.18 & 10.4.3
Updated by Richard Haeser over 4 years ago
We have exactly this scenario with the OpenID extension: friendsoftypo3/openid
Updated by Gerrit Code Review over 4 years ago
- Status changed from Accepted to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64492
Updated by Gerrit Code Review over 4 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64492
Updated by David Rellstab over 4 years ago
Tested and verified the patch with our sso setup on TYPO3 9.5.17.
Patch resolves the issue for our use case.
Updated by Gerrit Code Review over 4 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64492
Updated by Richard Haeser over 4 years ago
- Has duplicate Bug #91414: After update from 9.5.16 to 9.5.17 I get an error 'Missing referrer for /main' in /typo3 added
Updated by Richard Haeser over 4 years ago
- Has duplicate Bug #91415: After Update from 9.5.14 to 9.5.17 - backend and installer login are not working added
Updated by Richard Haeser over 4 years ago
- Has duplicate deleted (Bug #91415: After Update from 9.5.14 to 9.5.17 - backend and installer login are not working)
Updated by Gerrit Code Review over 4 years ago
Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64499
Updated by Gerrit Code Review over 4 years ago
Patch set 2 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64499
Updated by Gerrit Code Review over 4 years ago
Patch set 3 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64499
Updated by Gerrit Code Review over 4 years ago
Patch set 4 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64499
Updated by Oliver Hader over 4 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset fbafe16c48fa47fd8d5d4d66436700b8d85d1bfa.
Updated by Gerrit Code Review over 4 years ago
- Status changed from Resolved to Under Review
Patch set 5 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64499
Updated by Oliver Hader over 4 years ago
- Status changed from Under Review to Resolved
Applied in changeset 6d9e803c039257392a7b4ae487be33b93fea42af.
Updated by