Component Type: TYPO3 Core
Affected Versions: TYPO3 version 4.3.0 with enabled system extension "openid"
Vulnerability Types: Authentication Bypass
Overall Severity: High
Release Date: January 14, 2010
Vulnerable subcomponent #1: System extension openid
Vulnerability Type: Authentication Bypass
Severity: High
CVE reference: CVE-2010-0286
Problem Description: By using an OpenID identity that is assigned to an existing backend user account, an arbitrary website user is able to login to the TYPO3 backend with granted rights of this specific user account.
Prerequisites for exploiting this vulnerability is an enabled system extension "openid", knowledge of OpenID identities assigned to TYPO3 user accounts, a victim's OpenID identity of a specific type of OpenID provider and both victim and attacker having identities at the same OpenID provider. Only OpenID identities are vulnerable whose provider discards submitted OpenID identities during authentication process and allows its users to choose a different identity to authenticate with. The TYPO3 Security Team is aware of at least one major OpenID provider that exhibits such behaviour.
TYPO3 System extension "openid" is disabled by default; enabling it requires a manual change in system configuration.
Solution: When using OpenID for authentication, please update to the TYPO3 version 4.3.1 that fix the problem described.
Credits: Credits go to TYPO3 Core member Jeff Segars who discovered and reported the issue. Thanks to Dmitry Dulepov and Oliver Hader from the TYPO3 Core team for working on a patch.
General Advice: Follow the recommendations that are given in the TYPO3 Security Cookbook. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.