Moritz Muehlenhoff
2010-Jan-27 18:55 UTC
[Secure-testing-team] Bug#567163: TYPO3-SA-2010-001: Authentication Bypass in TYPO3 Core
Package: typo3-src Severity: grave Tags: security http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-001/ Apparently this only affects unstable/testing, but please double-check the Lenny status. Cheers, Moritz Vulnerable subcomponent #1: System extension openid Vulnerability Type: Authentication Bypass Severity: High Problem Description: By using an OpenID identity that is assigned to an existing backend user account, an arbitrary website user is able to login to the TYPO3 backend with granted rights of this specific user account. Prerequisites for exploiting this vulnerability is an enabled system extension "openid", knowledge of OpenID identities assigned to TYPO3 user accounts, a victim''s OpenID identity of a specific type of OpenID provider and both victim and attacker having identities at the same OpenID provider. Only OpenID identities are vulnerable whose provider discards submitted OpenID identities during authentication process and allows its users to choose a different identity to authenticate with. The TYPO3 Security Team is aware of at least one major OpenID provider that exhibits such behaviour. TYPO3 System extension "openid" is disabled by default; enabling it requires a manual change in system configuration. Solution: When using OpenID for authentication, please update to the TYPO3 version 4.3.1 that fix the problem described. Credits: Credits go to TYPO3 Core member Jeff Segars who discovered and reported the issue. Thanks to Dmitry Dulepov and Oliver Hader from the TYPO3 Core team for working on a patch. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, ''unstable'') Architecture: i386 (i686) Kernel: Linux 2.6.32-trunk-686 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15) Shell: /bin/sh linked to /bin/bash