[SECURITY] Disallow unauthorized module access 77/41477/2
authorHelmut Hummel <helmut.hummel@typo3.org>
Thu, 16 Jul 2015 15:06:56 +0000 (17:06 +0200)
committerWouter Wolters <typo3@wouterwolters.nl>
Thu, 16 Jul 2015 15:47:45 +0000 (17:47 +0200)
Changing the module dispatcher url from mod.php to index.php introduced a potential security leak,
as some modules could be called even with no user authenticated.

Fix and harden the checks in the module dispatcher to avoid that.

Resolves: #68232
Related: #68183
Releases: master
Change-Id: I60e91c654c6844cd60c2699418e7d816b355c928
Reviewed-on: http://review.typo3.org/41477
Reviewed-by: Benjamin Mack <benni@typo3.org>
Tested-by: Benjamin Mack <benni@typo3.org>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
typo3/sysext/backend/Classes/Http/Application.php
typo3/sysext/backend/Classes/Http/BackendModuleRequestHandler.php

index 28a4ada..b43ac7f 100644 (file)
@@ -114,11 +114,12 @@ class Application implements ApplicationInterface {
        protected function defineAdditionalEntryPointRelatedConstants() {
                $currentScript = GeneralUtility::getIndpEnv('SCRIPT_NAME');
 
-               // activate "AJAX" handler when called with the GET variable ajaxID
-               if (GeneralUtility::_GET('ajaxID') !== NULL) {
+               // Activate "AJAX" handler when called with the GET variable ajaxID
+               if (!empty(GeneralUtility::_GET('ajaxID'))) {
                        $GLOBALS['TYPO3_AJAX'] = TRUE;
-               } elseif (GeneralUtility::_GET('ajaxID') === NULL && substr($currentScript, -16) === '/typo3/index.php') {
-                       // allow backend login to work
+               // The following check is security relevant! DO NOT REMOVE!
+               } elseif (empty(GeneralUtility::_GET('M')) && substr($currentScript, -16) === '/typo3/index.php') {
+                       // Allow backend login to work, disallow module access without authenticated backend user
                        define('TYPO3_PROCEED_IF_NO_USER', 1);
                }
        }
index dc062c5..a3ecfaa 100644 (file)
@@ -16,6 +16,7 @@ namespace TYPO3\CMS\Backend\Http;
 
 use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
 use TYPO3\CMS\Core\Core\Bootstrap;
+use TYPO3\CMS\Core\FormProtection\BackendFormProtection;
 use TYPO3\CMS\Core\FormProtection\FormProtectionFactory;
 use TYPO3\CMS\Core\Exception;
 use TYPO3\CMS\Core\Http\RequestHandlerInterface;
@@ -132,7 +133,9 @@ class BackendModuleRequestHandler implements RequestHandlerInterface {
         * @return bool
         */
        protected function isValidModuleRequest() {
-               return $this->getFormProtection()->validateToken((string)$this->request->getQueryParams()['moduleToken'], 'moduleCall', (string)$this->request->getQueryParams()['M']);
+               return
+                       $this->getFormProtection() instanceof BackendFormProtection
+               && $this->getFormProtection()->validateToken((string)$this->request->getQueryParams()['moduleToken'], 'moduleCall', (string)$this->request->getQueryParams()['M']);
        }
 
        /**