From cbaf75ce331327a2af360ca05be1fc6c9ffd5c6c Mon Sep 17 00:00:00 2001 From: Oliver Hader Date: Thu, 12 Jul 2018 11:31:43 +0200 Subject: [PATCH] [SECURITY] Deny authentication bypass using blowfish/md5 encryption Using password hashing methods that are related by class inheritance can lead to authentication bypass by just knowing a valid username. Resolves: #84703 Releases: master, 8.7, 7.6 Security-Commit: 17853c536776b6a7332b05b1e10385f4d87868ae Security-Bulletin: TYPO3-CORE-SA-2018-001 Change-Id: If7a13d3699e217d7d853886b93b84b46f7e22b11 Reviewed-on: https://review.typo3.org/57543 Reviewed-by: Oliver Hader Tested-by: Oliver Hader --- .../sysext/saltedpasswords/Classes/SaltedPasswordService.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/typo3/sysext/saltedpasswords/Classes/SaltedPasswordService.php b/typo3/sysext/saltedpasswords/Classes/SaltedPasswordService.php index 9a7b7df94bf2..8e03b041fd07 100644 --- a/typo3/sysext/saltedpasswords/Classes/SaltedPasswordService.php +++ b/typo3/sysext/saltedpasswords/Classes/SaltedPasswordService.php @@ -109,8 +109,8 @@ public function compareUident(array $user, array $loginData, $passwordCompareStr } $defaultHashingClassName = \TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility::getDefaultSaltingHashingMethod(); $skip = false; - // Test for wrong salted hashing method - if ($validPasswd && !(get_class($this->objInstanceSaltedPW) == $defaultHashingClassName) || is_subclass_of($this->objInstanceSaltedPW, $defaultHashingClassName)) { + // Test for wrong salted hashing method (only if current method is not related to default method) + if ($validPasswd && get_class($this->objInstanceSaltedPW) !== $defaultHashingClassName && !is_subclass_of($this->objInstanceSaltedPW, $defaultHashingClassName)) { // Instantiate default method class $this->objInstanceSaltedPW = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance(null); $this->updatePassword((int)$user['uid'], ['password' => $this->objInstanceSaltedPW->getHashedPassword($password)]);