[SECURITY] Deny authentication bypass using blowfish/md5 encryption 39/57539/2
authorOliver Hader <oliver@typo3.org>
Thu, 12 Jul 2018 09:31:06 +0000 (11:31 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Thu, 12 Jul 2018 09:31:08 +0000 (11:31 +0200)
commitf4a28e4372215c720e3c338ac33ee3c040c62896
treec87729ece663ba116e96fadea71072e9bf0468aa
parentc9a498b834083b1887bc69ca6c774a0459893a36
[SECURITY] Deny authentication bypass using blowfish/md5 encryption

Using password hashing methods that are related by class inheritance
can lead to authentication bypass by just knowing a valid username.

Resolves: #84703
Releases: master, 8.7, 7.6
Security-Commit: 9183f7c5d84544c0b9464119d0ebe0951998c61c
Security-Bulletin: TYPO3-CORE-SA-2018-001
Change-Id: I2271f300e4a4956fa85b7d35fa1f48245e00d6c4
Reviewed-on: https://review.typo3.org/57539
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/saltedpasswords/Classes/SaltedPasswordService.php