Fixed bug #13372: saltedpasswords - Authentication Bypass in frontend…

… user authentication

git-svn-id: https://svn.typo3.org/TYPO3v4/Core/branches/TYPO3_4-3@6980 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog

@@ -1,3 +1,7 @@
+2010-02-23  Oliver Hader  <oliver@typo3.org>
+
+	* Fixed bug #13372: saltedpasswords - Authentication Bypass in frontend user authentication (thanks to Marcus Krause & Dmitry Dulepov)
+
 2010-02-22  Dmitry Dulepov  <dmitry.dulepov@gmail.com>
 
 	* Fixed bug #12958: Catchable fatal error in indexed_search

typo3/sysext/saltedpasswords/sv1/class.tx_saltedpasswords_sv1.php

@@ -79,6 +79,15 @@ class tx_saltedpasswords_sv1 extends tx_sv_authbase {
 	 */
 	protected $objInstanceSaltedPW = NULL;
 
+	/**
+	 * Indicates whether the salted password authentication has failed.
+	 *
+	 * Prevents authentication bypass. See vulnerability report:
+	 * { @link http://bugs.typo3.org/view.php?id=13372 }
+	 *
+	 * @var boolean
+	 */
+	protected $authenticationFailed = FALSE;
 
 	/**
 	 * Checks if service is available. In case of this service we check that
@@ -123,6 +132,12 @@ function compareUident(array $user, array $loginData, $security_level = 'normal'
 		if (is_object($this->objInstanceSaltedPW)) {
 			$validPasswd = $this->objInstanceSaltedPW->checkPassword($password,$user['password']);
 
+				// record is in format of Salted Hash password but authentication failed
+				// skip further authentication methods
+			if (!$validPasswd) {
+				$this->authenticationFailed = TRUE;
+			}
+
 			$defaultHashingClassName = tx_saltedpasswords_div::getDefaultSaltingHashingMethod();
 			$skip = FALSE;
 
@@ -158,10 +173,20 @@ function compareUident(array $user, array $loginData, $security_level = 'normal'
 					$validPasswd = $this->objInstanceSaltedPW->checkPassword(md5($password), substr($user['password'], 1));
 				}
 
+					// skip further authentication methods
+				if (!$validPasswd) {
+					$this->authenticationFailed = TRUE;
+				}
+
 				// password is stored as md5
 			} else if (preg_match('/[0-9abcdef]{32,32}/', $user['password'])) {
 				$validPasswd = (!strcmp(md5($password), $user['password']) ? TRUE : FALSE);
 
+					// skip further authentication methods
+				if (!$validPasswd) {
+					$this->authenticationFailed = TRUE;
+				}
+
 				// password is stored plain or unrecognized format
 			} else {
 				$validPasswd = (!strcmp($password, $user['password']) ? TRUE : FALSE);
@@ -219,7 +244,7 @@ public function authUser(array $user) {
 				);
 			}
 
-			if (!$validPasswd && intval($this->extConf['onlyAuthService'])) {
+			if (!$validPasswd && (intval($this->extConf['onlyAuthService']) || $this->authenticationFailed)) {
 					// Failed login attempt (wrong password) - no delegation to further services
 				$this->writeLog(
 					TYPO3_MODE . ' Authentication failed - wrong password for username \'%s\'',