[SECURITY] Disallow login with empty password 99/47599/2
authorNicole Cordes <typo3@cordes.co>
Tue, 12 Apr 2016 09:09:59 +0000 (11:09 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 12 Apr 2016 09:10:01 +0000 (11:10 +0200)
In case a backend or frontend user is stored in the database
with an empty string as password (not possible through backend UI),
it is possible to authenticate this user using an empty password
with the standard TYPO3 username/password authentication services.

By definition this should be prohibited.

Resolves: #75055
Releases: master, 7.6, 6.2
Security-Commit: 1899bfa7166baae8d774fa7bd027f9c448e89686
Security-Bulletins: TYPO3-CORE-SA-2016-009, 010, 011, 012
Change-Id: I7b5ce35a6e5d817c2480cb81e616bfac25fbe2fb
Reviewed-on: https://review.typo3.org/47599
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
typo3/sysext/saltedpasswords/Classes/SaltedPasswordService.php
typo3/sysext/sv/Classes/AuthenticationService.php

index c3edd89..d62700d 100644 (file)
@@ -1503,7 +1503,7 @@ abstract class AbstractUserAuthentication {
                                break;
                        default:
                                // normal
-                               if ((string)$loginData['uident_text'] === (string)$user[$this->userident_column]) {
+                               if ((string)$loginData['uident_text'] !== '' && (string)$loginData['uident_text'] === (string)$user[$this->userident_column]) {
                                        $OK = TRUE;
                                }
                }
index 87fa8e3..ece3a45 100644 (file)
@@ -174,10 +174,10 @@ class SaltedPasswordService extends \TYPO3\CMS\Sv\AbstractAuthenticationService
        public function authUser(array $user) {
                $OK = 100;
                $validPasswd = FALSE;
-               if ($this->login['uident'] && $this->login['uname']) {
-                       if (!empty($this->login['uident_text'])) {
-                               $validPasswd = $this->compareUident($user, $this->login);
-                       }
+               // The salted password service can only work correctly, if a non empty username along with a non empty password is provided.
+               // Otherwise a different service is allowed to check for other login credentials
+               if ((string)$this->login['uident_text'] !== '' && (string)$this->login['uname'] !== '') {
+                       $validPasswd = $this->compareUident($user, $this->login);
                        if (!$validPasswd) {
                                // Failed login attempt (wrong password)
                                $errorMessage = 'Login-attempt from %s (%s), username \'%s\', password not accepted!';
index e736c41..32c63be 100644 (file)
@@ -103,7 +103,9 @@ class AuthenticationService extends \TYPO3\CMS\Sv\AbstractAuthenticationService
         */
        public function authUser(array $user) {
                $OK = 100;
-               if ($this->login['uident'] && $this->login['uname']) {
+               // This authentication service can only work correctly, if a non empty username along with a non empty password is provided.
+               // Otherwise a different service is allowed to check for other login credentials
+               if ((string)$this->login['uident'] !== '' && (string)$this->login['uname'] !== '') {
                        // Checking password match for user:
                        $OK = $this->compareUident($user, $this->login);
                        if (!$OK) {