[BUGFIX][saltedpasswords] Failed backend logins not not logged
authorTorben Hansen <t.hansen@skyfillers.com>
Fri, 29 Apr 2011 12:03:18 +0000 (14:03 +0200)
committerSteffen Ritter <info@rs-websystems.de>
Fri, 29 Apr 2011 15:05:31 +0000 (17:05 +0200)
The logging functions in saltedpasswords are not able to log failed
backend userlogins to TYPO3s syslog, because the inherited
writelog-function gets overridden by a local function. As a result, no
notification e-mail is sent to [warning_email_addr] when a backend user
has multiple failed login attempts. A remote 'attacker' could try to
login to a TYPO3 installations backend numerous of times without being
noticed (no log entry and no warning-email if configured).

Rename the local writelog-function to writeLogMessage and add the
original writelog-functionality, so that failed backend logins are
written to TYPO3s syslog again and all logging/notifications work as
expected.

Change-Id: Ic05b05873e3fd20df675db908ba76b7dd0e5548f
Resolves: #23917
Releases: 4.6, 4.5, 4.4, 4.3
Reviewed-on: http://review.typo3.org/1795
Reviewed-by: Torben Hansen
Tested-by: Torben Hansen
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter
typo3/sysext/saltedpasswords/sv1/class.tx_saltedpasswords_sv1.php

index 3d57134..3879d58 100644 (file)
@@ -244,26 +244,93 @@ class tx_saltedpasswords_sv1 extends tx_sv_authbase {
 
                        if (!$validPasswd && (intval($this->extConf['onlyAuthService']) || $this->authenticationFailed)) {
                                        // Failed login attempt (wrong password) - no delegation to further services
-                               $this->writeLog(
+                               $errorMessage = 'Login-attempt from %s (%s), username \'%s\', password not accepted!';
+                               $this->writeLogMessage(
                                        TYPO3_MODE . ' Authentication failed - wrong password for username \'%s\'',
                                        $this->login['uname']
                                );
+                               $this->writelog(255, 3, 3, 1,
+                                       $errorMessage,
+                                       array(
+                                               $this->authInfo['REMOTE_ADDR'],
+                                               $this->authInfo['REMOTE_HOST'],
+                                               $this->login['uname']
+                                       )
+                               );
+                               t3lib_div::sysLog(
+                                       sprintf(
+                                               $errorMessage,
+                                               $this->authInfo['REMOTE_ADDR'],
+                                               $this->authInfo['REMOTE_HOST'],
+                                               $this->login['uname']
+                                       ),
+                                       'Core',
+                                       0
+                               );
                                $OK = 0;
                        } elseif(!$validPasswd) {
                                        // Failed login attempt (wrong password)
-                               $this->writeLog(
-                                       "Login-attempt from %s, username '%s', password not accepted!",
-                                       $this->authInfo['REMOTE_ADDR'], $this->login['uname']
+                               $errorMessage = 'Login-attempt from %s (%s), username \'%s\', password not accepted!';
+                               $this->writeLogMessage(
+                                       $errorMessage,
+                                       $this->authInfo['REMOTE_ADDR'],
+                                       $this->authInfo['REMOTE_HOST'],
+                                       $this->login['uname']
+                               );
+                               $this->writelog(255, 3, 3, 1,
+                                       $errorMessage,
+                                       array(
+                                               $this->authInfo['REMOTE_ADDR'],
+                                               $this->authInfo['REMOTE_HOST'],
+                                               $this->login['uname']
+                                       )
+                               );
+                               t3lib_div::sysLog(
+                                       sprintf(
+                                               $errorMessage,
+                                               $this->authInfo['REMOTE_ADDR'],
+                                               $this->authInfo['REMOTE_HOST'],
+                                               $this->login['uname']
+                                       ),
+                                       'Core',
+                                       0
                                );
                        } elseif ($validPasswd && $user['lockToDomain'] && strcasecmp($user['lockToDomain'], $this->authInfo['HTTP_HOST'])) {
                                        // Lock domain didn't match, so error:
-                               $this->writeLog(
-                                       "Login-attempt from %s, username '%s', locked domain '%s' did not match '%s'!",
-                                       $this->authInfo['REMOTE_ADDR'], $this->login['uname'], $user['lockToDomain'], $this->authInfo['HTTP_HOST']
+                               $errorMessage = 'Login-attempt from %s (%s), username \'%s\', locked domain \'%s\' did not match \'%s\'!';
+                               $this->writeLogMessage(
+                                       $errorMessage,
+                                       $this->authInfo['REMOTE_ADDR'],
+                                       $this->authInfo['REMOTE_HOST'],
+                                       $this->login['uname'],
+                                       $user['lockToDomain'],
+                                       $this->authInfo['HTTP_HOST']
+                               );
+                               $this->writelog(255, 3, 3, 1,
+                                       $errorMessage,
+                                       array(
+                                               $this->authInfo['REMOTE_ADDR'],
+                                               $this->authInfo['REMOTE_HOST'],
+                                               $user[$this->db_user['username_column']],
+                                               $user['lockToDomain'],
+                                               $this->authInfo['HTTP_HOST']
+                                       )
+                               );
+                               t3lib_div::sysLog(
+                                       sprintf(
+                                               $errorMessage,
+                                               $this->authInfo['REMOTE_ADDR'],
+                                               $this->authInfo['REMOTE_HOST'],
+                                               $user[$this->db_user['username_column']],
+                                               $user['lockToDomain'],
+                                               $this->authInfo['HTTP_HOST']
+                                       ),
+                                       'Core',
+                                       0
                                );
                                $OK = 0;
                        } elseif ($validPasswd) {
-                               $this->writeLog(
+                               $this->writeLogMessage(
                                        TYPO3_MODE . ' Authentication successful for username \'%s\'',
                                        $this->login['uname']
                                );
@@ -307,7 +374,7 @@ class tx_saltedpasswords_sv1 extends tx_sv_authbase {
         * @see t3lib_div::sysLog()
         * @see t3lib_timeTrack::setTSlogMessage()
         */
-       function writeLog($message) {
+       function writeLogMessage($message) {
                if (func_num_args() > 1) {
                        $params = func_get_args();
                        array_shift($params);