[SECURITY] Deny authentication bypass using blowfish/md5 encryption 43/57543/2
authorOliver Hader <oliver@typo3.org>
Thu, 12 Jul 2018 09:31:43 +0000 (11:31 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Thu, 12 Jul 2018 09:31:47 +0000 (11:31 +0200)
commitcbaf75ce331327a2af360ca05be1fc6c9ffd5c6c
tree61cf4cbeced79a16fec6eae52c0b078856494764
parent07d9fe7be326aa82696b4117610e6bb45d9be8a8
[SECURITY] Deny authentication bypass using blowfish/md5 encryption

Using password hashing methods that are related by class inheritance
can lead to authentication bypass by just knowing a valid username.

Resolves: #84703
Releases: master, 8.7, 7.6
Security-Commit: 17853c536776b6a7332b05b1e10385f4d87868ae
Security-Bulletin: TYPO3-CORE-SA-2018-001
Change-Id: If7a13d3699e217d7d853886b93b84b46f7e22b11
Reviewed-on: https://review.typo3.org/57543
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/saltedpasswords/Classes/SaltedPasswordService.php