TYPO3-SA-2010-001: Vulnerability in TYPO3 Core

Categories: TYPO3 CMS Created by Marcus Krause
It has been discovered that TYPO3 Core is vulnerable to authentication bypass.

Component Type: TYPO3 Core

Affected Versions: TYPO3 version 4.3.0 with enabled system extension "openid"

Vulnerability Types: Authentication Bypass

Overall Severity: High

Release Date: January 14, 2010

Vulnerable subcomponent #1: System extension openid

Vulnerability Type: Authentication Bypass

Severity: High

CVE reference: CVE-2010-0286

Problem Description: By using an OpenID identity that is assigned to an existing backend user account, an arbitrary website user is able to login to the TYPO3 backend with granted rights of this specific user account.

Prerequisites for exploiting this vulnerability is an enabled system extension "openid", knowledge of OpenID identities assigned to TYPO3 user accounts, a victim's OpenID identity of a specific type of OpenID provider and both victim and attacker having identities at the same OpenID provider. Only OpenID identities are vulnerable whose provider discards submitted OpenID identities during authentication process and allows its users to choose a different identity to authenticate with. The TYPO3 Security Team is aware of at least one major OpenID provider that exhibits such behaviour.

TYPO3 System extension "openid" is disabled by default; enabling it requires a manual change in system configuration.

Solution: When using OpenID for authentication, please update to the TYPO3 version 4.3.1 that fix the problem described.

Credits: Credits go to TYPO3 Core member Jeff Segars who discovered and reported the issue. Thanks to Dmitry Dulepov and Oliver Hader from the TYPO3 Core team for working on a patch.

General Advice: Follow the recommendations that are given in the TYPO3 Security Cookbook. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.