[Secure-testing-team] Bug#567163: TYPO3-SA-2010-001: Authentication Bypass in TYPO3 Core

[Moritz Muehlenhoff]

Package: typo3-src
Severity: grave
Tags: security

http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-001/

Apparently this only affects unstable/testing, but please double-check
the Lenny status.

Cheers,
        Moritz


Vulnerable subcomponent #1: System extension openid

   Vulnerability Type: Authentication Bypass

   Severity: High

   Problem Description: By using an OpenID identity that is assigned to an existing backend user account, an arbitrary
   website user is able to login to the TYPO3 backend with granted rights of this specific user account.

   Prerequisites for exploiting this vulnerability is an enabled system extension "openid", knowledge of OpenID identities
   assigned to TYPO3 user accounts, a victim's OpenID identity of a specific type of OpenID provider and both victim and
   attacker having identities at the same OpenID provider. Only OpenID identities are vulnerable whose provider discards
   submitted OpenID identities during authentication process and allows its users to choose a different identity to
   authenticate with. The TYPO3 Security Team is aware of at least one major OpenID provider that exhibits such behaviour.

   TYPO3 System extension "openid" is disabled by default; enabling it requires a manual change in system configuration.

   Solution: When using OpenID for authentication, please update to the TYPO3 version 4.3.1 that fix the problem described.

   Credits: Credits go to TYPO3 Core member Jeff Segars who discovered and reported the issue. Thanks to Dmitry Dulepov and
   Oliver Hader from the TYPO3 Core team for working on a patch.




-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-trunk-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash