TYPO3-PSA-2019-006: Security Misconfiguration since TYPO3 9.4.0

Categories: Development Created by Oliver Hader
It has been discovered that TYPO3 is susceptible to security misconfiguration.
  • Release Date: May 7, 2019
  • Component Type: Salted Passwords (bundled in TYPO3 core package, ext:core)
  • Impact: Security Misconfiguration
  • Affected Versions: TYPO3 9.4.0 through 9.5.5

Problem Description

Salted Passwords was bundled in TYPO3 as ext:saltedpasswords and got merged with the core component ext:core with TYPO3 v9.4.0 (see documentation of issue #85833).

Extensions that are taking care of user generation or password manipulation in particular are checking whether ext:saltedpassword is installed in order to make use of the according API calls for hashing passwords. Some of these extensions provide a fallback to MD5 hashing - without using a salt - or don’t modify passwords at all - which leads to plain text passwords being stored. This is considered as severe decrease in security.

The following example demonstrates extension source code that has been working correctly until TYPO3 v9.4.0 and was falling back to plain text passwords since system extension saltedpasswords was no longer available.

public function handleNewPassword(string $password)
{
    if (ExtensionManagementUtility::isLoaded('saltedpasswords')) {
        $factory = SaltFactory::getSaltingInstance();
        // return password hash using random salt
        return $factory->getHashedPassword($password);
    } else {
        // return plain text password
        return $password;
    }
}

Solution

Update to TYPO3 version 9.5.6 that fixes the problem described by simulating the existence of ext:saltedpasswords, even if it is actually not, but provided by ext:core instead.

Important: Analyse whether site is being affected and needs to be migrated

- search for user passwords that are not hashed and are stored in plain-text or MD5
- If possible upgrade these passwords to use salted passwords or remove accounts
- these checks must be done at least for be_users and fe_users database tables

The following example shows all passwords of frontend users’ database table fe_users - first two passwords seem to be correctly using salted hashes ($2y$ referring to bcrypt), last two passwords seem to be plain-text or MD5 hash (32 hex characters).

mysql> SELECT uid, password FROM fe_users;
+-----+--------------------------------------------------------------+
| uid | password                                                     |
+-----+--------------------------------------------------------------+
|   1 | $2y$12$Q1w5mzRlTxSYQ632yED4y.HHRjrfmFHA.Q7Rh8Zv4ePzauzTu/kQa |
|   2 | $2y$12$xfo8lDu01uHtnQdIFqqoEe0Jyb3zuQFzqbrnPoR4wJfmuWG.H/vte |
|   3 | $eDie1zae:Ra3bae4thi                                         |
|   4 | 87b28920b0fa3da71160d9d12b2da1da                             |
+-----+--------------------------------------------------------------+
4 rows in set (0.00 sec)

The following example uses a regular expression query containing common hash variants to be used as prefix. In case custom hashing algorithms are used the query has to be adjusted accordingly - find more details at https://en.wikipedia.org/wiki/Crypt_(C).

mysql> SELECT uid, password FROM fe_users
    -> WHERE password NOT REGEXP BINARY
    -> '^\\$(argon2i|pbkdf2-sha256|P|1|2|2a|2x|2y|5|6)\\$.+';
+-----+----------------------------------+
| uid | password                         |
+-----+----------------------------------+
|   3 | $eDie1zae:Ra3bae4thi             |
|   4 | 87b28920b0fa3da71160d9d12b2da1da |
+-----+----------------------------------+
2 rows in set (0.00 sec)

Maintainers of TYPO3 extensions are advised to update their sources in order to enforce using salted passwords and enhance overall security concerning storing user credentials.

Maintainers of TYPO3 extensions are advised to enforce Salted Passwords

Salted Passwords have been introduced in TYPO3 v4.3 around 9 years ago and became mandatory with TYPO3 v6.2 LTS. Extensions have to enforce using salted passwords without falling back to weaker algorithms not using salts or even plain-text. In case passwords cannot be salted the process shall be halted and logged.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.