[SECURITY] Deny authentication bypass using blowfish/md5 encryption 39/57539/2
authorOliver Hader <oliver@typo3.org>
Thu, 12 Jul 2018 09:31:06 +0000 (11:31 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Thu, 12 Jul 2018 09:31:08 +0000 (11:31 +0200)
Using password hashing methods that are related by class inheritance
can lead to authentication bypass by just knowing a valid username.

Resolves: #84703
Releases: master, 8.7, 7.6
Security-Commit: 9183f7c5d84544c0b9464119d0ebe0951998c61c
Security-Bulletin: TYPO3-CORE-SA-2018-001
Change-Id: I2271f300e4a4956fa85b7d35fa1f48245e00d6c4
Reviewed-on: https://review.typo3.org/57539
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/saltedpasswords/Classes/SaltedPasswordService.php

index 5cc89e6..b15c96e 100644 (file)
@@ -114,8 +114,8 @@ class SaltedPasswordService extends \TYPO3\CMS\Sv\AbstractAuthenticationService
             }
             $defaultHashingClassName = \TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility::getDefaultSaltingHashingMethod();
             $skip = false;
-            // Test for wrong salted hashing method
-            if ($validPasswd && !(get_class($this->objInstanceSaltedPW) == $defaultHashingClassName) || is_subclass_of($this->objInstanceSaltedPW, $defaultHashingClassName)) {
+            // Test for wrong salted hashing method (only if current method is not related to default method)
+            if ($validPasswd && get_class($this->objInstanceSaltedPW) !== $defaultHashingClassName && !is_subclass_of($this->objInstanceSaltedPW, $defaultHashingClassName)) {
                 // Instantiate default method class
                 $this->objInstanceSaltedPW = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance(null);
                 $this->updatePassword((int)$user['uid'], ['password' => $this->objInstanceSaltedPW->getHashedPassword($password)]);