Authentication Bypass in TYPO3 CMS 4.5

Component Type: TYPO3 CMS

Vulnerability Types: Authentication Bypass

Overall Severity: Critical

Release Date: February 19, 2015

 

Vulnerable subcomponent: rsaauth system extension

Vulnerability Type: Authentication Bypass

Affected Versions: Versions 4.3.0 to 4.3.14, 4.4.0 to 4.4.15, 4.5.0 to 4.5.39 and 4.6.0 to 4.6.18

Severity: Critical

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C

CVE: not assigned yet

Problem Description: It has been discovered that TYPO3 CMS is vulnerable to Authentication Bypass. Frontend users can be authenticated by only knowing their username.

TYPO3 installations are affected, if all of the following applies:

  • TYPO3 Version 4.3.0 to 4.3.14, 4.4.0 to 4.4.15, 4.5.0 to 4.5.39 or 4.6.0 to 4.6.18
  • users/access restricted frontend area (frontend login)
  • system extension rsaauth is loaded
  • system extension rsaauth is configured for frontend usage like that:
    $GLOBALS['TYPO3_CONF_VARS']['FE']['loginSecurityLevel'] = 'rsa'

TYPO3 installations are not affected, if at least one of the following applies:

  • TYPO3 Version 4.7.0 or higher
  • no users/access restricted frontend area (TYPO3 Backend authentication is not affected)
  • system extension rsaauth is not loaded (default)
  • system extension rsaauth is not configured for frontend usage like that (default):
    $GLOBALS['TYPO3_CONF_VARS']['FE']['loginSecurityLevel'] = 'rsa'

 

Solution: Update to TYPO3 version 4.5.40 that fixes the problem described. Alternatively use the provided shell script to patch all affected TYPO3 versions (all between 4.3 and 4.6) that are found in a specified directory or use the diff file to patch the installations manually.

Important Note: Updating or patching your installations to fix this CRITICAL vulnerability is STRONGLY ADVISED!

Credits: Thanks to Pierrick Caillon who discovered and reported the vulnerability and to Security Team Member Nicole Cordes for developing a fix and providing the shell script.

 

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Leave a Reply