TYPO3-EXT-SA-2011-017: Authentication Bypass and Blind LDAP Injection in extension eu_ldap

November 15, 2011

Category: TYPO3 Extension
Author: Helmut Hummel
Keywords: eu_ldap, TYPO3-EXT-SA-2011-017

It has been discovered that the extension eu_ladap is vulnerable to Authentication Bypass and Blind LDAP Injection

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: Version 2.8.10 and all versions below

Vulnerability Type: Authentication Bypass, Blind LDAP Injection

Severity: High

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C (What's that?)

Release Date: November 15, 2011


Problem Description: If eu_ldap is configured to use a fallback authentication against user records in the TYPO3 database, an attacker doesn't need to know the original clear text password to successfully log in as a backend user, but can authenticate using the md5 password hash. 
Additionally username and password strings provided in the login form are passed unsanitized to a LDAP query.

Solution: An updated version 2.8.11 is available from the TYPO3 extension manager and athttp://typo3.org/extensions/repository/view/eu_ldap/2.8.11/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go Matthias Hunstock for finding and reporting the issue.


General advice: Follow the recommendations that are given in the TYPO3 Security Cookbook