[SECURITY] Deny authentication bypass using blowfish/md5 encryption 57/57557/2
authorOliver Hader <oliver@typo3.org>
Thu, 12 Jul 2018 09:35:12 +0000 (11:35 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Thu, 12 Jul 2018 09:35:16 +0000 (11:35 +0200)
commit79260b2d9176096b33fd6ba97a255d9d8febbd30
tree5daca47adf0ab8f1dbeee4f532dfc539e11e585a
parent2695c32fba352d5935f25bb27ec6ca09a198f950
[SECURITY] Deny authentication bypass using blowfish/md5 encryption

Using password hashing methods that are related by class inheritance
can lead to authentication bypass by just knowing a valid username.

Resolves: #84703
Releases: master, 8.7, 7.6
Security-Commit: 2951c4fc0529ec0fd6047786edd3b7189428e574
Security-Bulletin: TYPO3-CORE-SA-2018-001
Change-Id: I859a20c85305291e1cd79b61e630bbbfc4e0568a
Reviewed-on: https://review.typo3.org/57557
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/saltedpasswords/Classes/SaltedPasswordService.php