TYPO3-SA-2010-013: Vulnerabilitiy in extension Front End User Registration (sr_feuser_register)

It has been discovered that the extension Frontend User Registration (sr_feuser_register) is susceptible to Security Misconfiguration.

Component Type: Third party extension. This extensions is not part of the TYPO3 default installation.

Affected Versions: Version 2.5.25.

Vulnerability Type: Security Misconfiguration

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C (What's that?)

Release Date: 28.07.2010

Problem Description: The extension fails to preserve passwords. When registering a new user, the new passwords might be an empty string. When editing an existing record, the existing password might be changed to an empty string. An attacker might login to a restricted system without using a password.

Solution: Updated versions are available from the TYPO3 extension manager.

Users are advised to upgrade to extension version 2.5.26 which is available at http://typo3.org/extensions/repository/view/sr_feuser_register/2.5.26/

Note: At the time of writing, the most recent version of Front End User Registration in branch 2.5 is version 2.5.27 which is available at typo3.org/extensions/repository/view/sr_feuser_register/2.5.27/

Fixing corrupted data: Try to determine the timeframe when extension version 2.5.25 had been installed on your system! All newly registered users or user records that were changed in this timeframe must be considered as corrupted data in regards to the password. Obvious signs of this is an empty string in the password field of a user record in the database or a d41d8cd98f00b204e9800998ecf8427e md5 hash representing an empty string (depending on your security configuration). For all corrupted records set the password to an arbitrary complex new (secret) password and advise your users to request a new password via "password forgot" functionality (felogin).

General advice: Follow the recommendations that are given in the TYPO3 Security Cookbook. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Credits: Credits go to Petra Arentzen who discovered and reported the issue.