TYPO3-CORE-SA-2019-002: Security Misconfiguration for Backend User Accounts

Categories: Development
It has been discovered, that TYPO3 CMS is susceptible to security misconfiguration.
  • Component Type: TYPO3 CMS
  • Vulnerable subcomponent: Backend User Account Model (ext:core)
  • Release Date: January 22, 2019
  • Vulnerability Type: Security Misconfiguration
  • Affected Versions: 8.0.0-8.7.22 and 9.0.0-9.5.3
  • Severity: None - High (depending on 3rd party authentication services)
  • Suggested CVSS v3.0: AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C
  • CVE: not assigned yet

Problem Description

When using the TYPO3 backend in order to create new backend user accounts, database records containing insecure or empty credentials might be persisted. When the type of user account is changed - which might be entity type or the admin flag for backend users - the backend form is reloaded in order to reflect changed configuration possibilities. However,  this leads to persisting the current state as well, which can result into some of the following:

  • account contains empty login credentials (username and/or password)
  • account is incomplete and contains weak credentials (username and/or password)

Albeit the functionality provided by the TYPO3 core cannot be used either with empty usernames or empty passwords, it still can be a severe vulnerability to custom authentication service implementations.

This weakness cannot be directly exploited and requires interaction on purpose by some backend user having according privileges.

Solution

Update to TYPO3 versions 8.7.23 or 9.5.4 that fix the problem described. Backend user accounts created in the backend user interface or using DataHandler API will be disabled per default, besides that empty usernames and password are now filled with random values to avoid scenarios where empty credentials are persisted.

Strong security defaults - Manual actions required

In order to apply strong security defaults new backend user accounts are now disabled per default and need to be activated manually. In order to disable this behavior the following setting can be applied individually:

$GLOBALS['TCA']['be_users']['columns']['disable']['config']['default'] = 0;

Besides that it is ensured that no empty values for username and password are persisted anymore - this behavior can be adjusted by overriding the according hook setting:

$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['processDatamapClass'] = array_filter(
    $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['processDatamapClass'] ?? [],
    function ($className) { return $className !== \TYPO3\CMS\Core\Hooks\BackendUserPasswordCheck::class; }
);

Credits

Thanks to Oliver Eglseder who reported this issue and to TYPO3 core team member Benni Mack who fixed the issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security related code changes are tagged so that you can easily look them up in our review system.