Fixed bug #13372: saltedpasswords - Authentication Bypass in frontend user authentication
authorOliver Hader <oliver.hader@typo3.org>
Tue, 23 Feb 2010 10:02:38 +0000 (10:02 +0000)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 23 Feb 2010 10:02:38 +0000 (10:02 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@6979 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
typo3/sysext/saltedpasswords/sv1/class.tx_saltedpasswords_sv1.php

index c8a938f..1d89d1a 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2010-02-23  Oliver Hader  <oliver@typo3.org>
+
+       * Fixed bug #13372: saltedpasswords - Authentication Bypass in frontend user authentication (thanks to Marcus Krause & Dmitry Dulepov)
+
 2010-02-22  Benjamin Mack  <benni@typo3.org>
 
        * Fixed bug #13243: Small speedup improvements to t3lib_page by removing superfluous intval() statements (Thanks to Georg Ringer)
index 76a3e72..f48f6f9 100644 (file)
@@ -79,6 +79,15 @@ class tx_saltedpasswords_sv1 extends tx_sv_authbase {
         */
        protected $objInstanceSaltedPW = NULL;
 
+       /**
+        * Indicates whether the salted password authentication has failed.
+        *
+        * Prevents authentication bypass. See vulnerability report:
+        * { @link http://bugs.typo3.org/view.php?id=13372 }
+        *
+        * @var boolean
+        */
+       protected $authenticationFailed = FALSE;
 
        /**
         * Checks if service is available. In case of this service we check that
@@ -123,6 +132,12 @@ class tx_saltedpasswords_sv1 extends tx_sv_authbase {
                if (is_object($this->objInstanceSaltedPW)) {
                        $validPasswd = $this->objInstanceSaltedPW->checkPassword($password,$user['password']);
 
+                               // record is in format of Salted Hash password but authentication failed
+                               // skip further authentication methods
+                       if (!$validPasswd) {
+                               $this->authenticationFailed = TRUE;
+                       }
+
                        $defaultHashingClassName = tx_saltedpasswords_div::getDefaultSaltingHashingMethod();
                        $skip = FALSE;
 
@@ -158,10 +173,20 @@ class tx_saltedpasswords_sv1 extends tx_sv_authbase {
                                        $validPasswd = $this->objInstanceSaltedPW->checkPassword(md5($password), substr($user['password'], 1));
                                }
 
+                                       // skip further authentication methods
+                               if (!$validPasswd) {
+                                       $this->authenticationFailed = TRUE;
+                               }
+
                                // password is stored as md5
                        } else if (preg_match('/[0-9abcdef]{32,32}/', $user['password'])) {
                                $validPasswd = (!strcmp(md5($password), $user['password']) ? TRUE : FALSE);
 
+                                       // skip further authentication methods
+                               if (!$validPasswd) {
+                                       $this->authenticationFailed = TRUE;
+                               }
+
                                // password is stored plain or unrecognized format
                        } else {
                                $validPasswd = (!strcmp($password, $user['password']) ? TRUE : FALSE);
@@ -219,7 +244,7 @@ class tx_saltedpasswords_sv1 extends tx_sv_authbase {
                                );
                        }
 
-                       if (!$validPasswd && intval($this->extConf['onlyAuthService'])) {
+                       if (!$validPasswd && (intval($this->extConf['onlyAuthService']) || $this->authenticationFailed)) {
                                        // Failed login attempt (wrong password) - no delegation to further services
                                $this->writeLog(
                                        TYPO3_MODE . ' Authentication failed - wrong password for username \'%s\'',