Actions
Bug #91396
closed
Story #91384: Backend login and referrer problems after recent TYPO3 9.5.17 and 10.4.2 security fixes
Allow SSO authentication handlers to pass SSRF referrer checks
Status:
Closed
Priority:
Should have
Assignee:
Category:
Security
Target version:
Start date:
2020-05-14
Due date:
% Done:
100%
Estimated time:
TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:
Description
Scenario
- https://sso.example.org/auth used to authenticate
- https://example.org/?eID=auth used for session transfer/activation (or similar technique, invoking a "callback")
- request header
Referer: https://sso.example.org/auth - response header
Location: https://example.org/typo3/
- request header
- https://example.org/typo3/ as redirect
- request header
Referer: https://sso.example.org/auth(still the external SSO, since redirected viaLocation:headers) - response header
Location: http://example/typo3/index.php?route=%2Fmain&token=1ed543d6ba3594722a69a1969abc15046631d7a5
- request header
- http://example/typo3/index.php?route=%2Fmain&token=1ed543d6ba3594722a69a1969abc15046631d7a5 checking the referrer
- request header
Referer: https://sso.example.org/auth(still the external SSO, since redirected viaLocation:headers)
- request header
Observation
- request is actually correct
- referrer is send - but with something "external" from
/typo3/(that the subject we want and must protect from being called directly)
Variations
- cross-site
Referer: https://sso.example.org/auth- expected
Referer: https://example.org/typo3/.+
- same-site
Referer: https://example.org/?eID=auth- expected
Referer: https://example.org/typo3/.+
- same-origin (the regular case)
Referer: https://example.org/typo3/index.php?route=%2Flogin- expected
Referer: https://example.org/typo3/.+
Updated by 
Updated by 
Updated by 
Updated by 
Updated by
Actions