TYPO3-PSA-2019-009: Truncated passwords during authentication process on typo3.org services

Categories: Community Created by Oliver Hader
It has been discovered that passwords were truncated during authentication process on typo3.org services.

Problem Description

Passwords of users on my.typo3.org - the management hub that is used to authenticate against multiple other typo3.org related services and tools - were stored using a broken cryptographic algorithm. Traditional CRYPT-DES has been used to generate a cryptographic hash of the plaintext password - due to the limitation on traditional DES, only the first eight characters of the password were used.

As a result, the first eight characters were sufficient to log in at my.typo3.org - even if the initial password was much longer. In case this sequence would have contained weak or guessable phrases - the potential of dictionary-based attacks was much higher to be successful. For instance, "password" would have been enough even if the actual plaintext password was "password%faH3!ieXees.h1iK".

In total three different hashing algorithms CRYPT-DES, MD5 and SHA1 had been applied and stored.

The following platforms were affected:

  • typo3.org
  • forge.typo3.org
  • review.typo3.org
  • git-t3o.typo3.org
  • talk.typo3.org
  • decisions.typo3.org
  • extensions.typo3.org
  • wiki.typo3.org
  • crm.typo3.com
  • typo3.com (partner network)

 

Solution

Broken CRYPT-DES algorithm has been disabled and corresponding hashes removed from LDAP password storage. All the above systems have now been converted to state of the art password hashing algorithm CRYPT-SHA-512 and a minimum password length of 12 characters, see https://git-t3o.typo3.org/t3o/my/commit/366392b103f40095c3df4076a0fa90c383cedcfd for implementation details.

Audits controls done by the maintainers of the platforms mentioned above have shown, that we have no reason to believe that this vulnerability has been unlawfully exploited.

Suggested Actions

As a precaution, we ask you to change your TYPO3.org password.

As an alternative, you can reset your password via the forgot password option.

Credits

Thanks to TYPO3 framework merger Frank Nägler who reported this issue.

Final note

Users having a TYPO3.org account have been informed already on October 28, 2019, on behalf of the TYPO3 Association. This public service announcement published by the TYPO3 security team aims to respond to questions we received to provide more technical insights into the original vulnerability and how it has been addressed in a collaborative effort among involved TYPO3 teams.