Moritz Muehlenhoff
2010-Jan-27 18:55 UTC
[Secure-testing-team] Bug#567163: TYPO3-SA-2010-001: Authentication Bypass in TYPO3 Core
Package: typo3-src
Severity: grave
Tags: security
http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-001/
Apparently this only affects unstable/testing, but please double-check
the Lenny status.
Cheers,
Moritz
Vulnerable subcomponent #1: System extension openid
Vulnerability Type: Authentication Bypass
Severity: High
Problem Description: By using an OpenID identity that is assigned to an
existing backend user account, an arbitrary
website user is able to login to the TYPO3 backend with granted rights of
this specific user account.
Prerequisites for exploiting this vulnerability is an enabled system
extension "openid", knowledge of OpenID identities
assigned to TYPO3 user accounts, a victim''s OpenID identity of a
specific type of OpenID provider and both victim and
attacker having identities at the same OpenID provider. Only OpenID
identities are vulnerable whose provider discards
submitted OpenID identities during authentication process and allows its
users to choose a different identity to
authenticate with. The TYPO3 Security Team is aware of at least one major
OpenID provider that exhibits such behaviour.
TYPO3 System extension "openid" is disabled by default; enabling it
requires a manual change in system configuration.
Solution: When using OpenID for authentication, please update to the TYPO3
version 4.3.1 that fix the problem described.
Credits: Credits go to TYPO3 Core member Jeff Segars who discovered and
reported the issue. Thanks to Dmitry Dulepov and
Oliver Hader from the TYPO3 Core team for working on a patch.
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, ''unstable'')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-trunk-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash