+2010-02-23 Oliver Hader <oliver@typo3.org>
+
+ * Fixed bug #13372: saltedpasswords - Authentication Bypass in frontend user authentication (thanks to Marcus Krause & Dmitry Dulepov)
+
2010-02-22 Benjamin Mack <benni@typo3.org>
* Fixed bug #13243: Small speedup improvements to t3lib_page by removing superfluous intval() statements (Thanks to Georg Ringer)
*/
protected $objInstanceSaltedPW = NULL;
+ /**
+ * Indicates whether the salted password authentication has failed.
+ *
+ * Prevents authentication bypass. See vulnerability report:
+ * { @link http://bugs.typo3.org/view.php?id=13372 }
+ *
+ * @var boolean
+ */
+ protected $authenticationFailed = FALSE;
/**
* Checks if service is available. In case of this service we check that
if (is_object($this->objInstanceSaltedPW)) {
$validPasswd = $this->objInstanceSaltedPW->checkPassword($password,$user['password']);
+ // record is in format of Salted Hash password but authentication failed
+ // skip further authentication methods
+ if (!$validPasswd) {
+ $this->authenticationFailed = TRUE;
+ }
+
$defaultHashingClassName = tx_saltedpasswords_div::getDefaultSaltingHashingMethod();
$skip = FALSE;
$validPasswd = $this->objInstanceSaltedPW->checkPassword(md5($password), substr($user['password'], 1));
}
+ // skip further authentication methods
+ if (!$validPasswd) {
+ $this->authenticationFailed = TRUE;
+ }
+
// password is stored as md5
} else if (preg_match('/[0-9abcdef]{32,32}/', $user['password'])) {
$validPasswd = (!strcmp(md5($password), $user['password']) ? TRUE : FALSE);
+ // skip further authentication methods
+ if (!$validPasswd) {
+ $this->authenticationFailed = TRUE;
+ }
+
// password is stored plain or unrecognized format
} else {
$validPasswd = (!strcmp($password, $user['password']) ? TRUE : FALSE);
);
}
- if (!$validPasswd && intval($this->extConf['onlyAuthService'])) {
+ if (!$validPasswd && (intval($this->extConf['onlyAuthService']) || $this->authenticationFailed)) {
// Failed login attempt (wrong password) - no delegation to further services
$this->writeLog(
TYPO3_MODE . ' Authentication failed - wrong password for username \'%s\'',