Multiple vulnerabilities in extension "MKSamlAuth" (mksamlauth)

Categories: Development Created by Torben Hansen
It has been discovered that the extension "MKSamlAuth" (mksamlauth) is susceptible to Broken Authentication and Authentication Bypass.
  • Release Date: December 17, 2019
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Vulnerability Type: Broken Authentication, Authentication Bypass
  • Affected Versions: 9.5.2 - 9.5.0 and 8.7.1 - 8.7.0
  • Severity: High
  • Suggested CVSS v3.1: AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N/E:F/RL:O/RC:C
  • CVE: Not assigned yet

Problem Description

The extension fails to validate the response from the Identity Provider which allows an attacker to create various frontend users on affected TYPO3 websites.

The authentication service allows to bypass frontend user authentication by providing a valid username with an empty password, if a SAML configuration is not created for the current website domain.

Solution

Updated versions 9.5.3 and 8.7.2 are available from the TYPO3 extension manager, Packagist and at
https://extensions.typo3.org/extension/download/mksamlauth/9.5.3/zip/
https://extensions.typo3.org/extension/download/mksamlauth/8.7.2/zip/
Users of the extension are advised to update the extension as soon as possible.

Note: It was not possible to fix the security issues without breaking changes. It is at least required to reconfigure the SAML configuration record(s) in the TYPO3 backend, because one configuration field has been added in order to mitigate the broken authentication issue.

Also note, that the new extension version in the TYPO3 Extension Repository does not bundle all required dependencies. The extension only works using TYPO3 in composer mode.

Credits

Credits go to Helmut Hummel who discovered and reported the vulnerability.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.