[SECURITY] Require step-up authentication for password change

Require a password confirmation for every password change
of backend users via FormEngine (applies to own passwords and passwords
of other users).

Also require a recent user verification (step-up) for any
change to backend user details.

Resolves: #103252
Releases: main, 13.4, 12.4
Change-Id: I2a74b15dd3d7e7bded8b59b5df5af1097d5e7b59
Security-Bulletin: TYPO3-CORE-SA-2025-013
Security-References: CVE-2025-47938
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/89467
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Author: bnf

Build/Sources/TypeScript/backend/ajax-data-handler.ts

@@ -15,6 +15,7 @@ import { BroadcastMessage } from '@typo3/backend/broadcast-message';
 import AjaxRequest from '@typo3/core/ajax/ajax-request';
 import BroadcastService from '@typo3/backend/broadcast-service';
 import Notification from './notification';
+import { sudoModeInterceptor } from '@typo3/backend/security/sudo-mode-interceptor';
 import type { AjaxResponse } from '@typo3/core/ajax/ajax-response';
 import type ResponseInterface from './ajax-data-handler/response-interface';
 
@@ -39,9 +40,13 @@ class AjaxDataHandler {
    * @returns {Promise<ResponseInterface>}
    */
   private static call(params: string | object): Promise<ResponseInterface> {
-    return (new AjaxRequest(TYPO3.settings.ajaxUrls.record_process)).withQueryArguments(params).get().then(async (response: AjaxResponse): Promise<ResponseInterface> => {
-      return await response.resolve();
-    });
+    return (new AjaxRequest(TYPO3.settings.ajaxUrls.record_process))
+      .addMiddleware(sudoModeInterceptor)
+      .withQueryArguments(params)
+      .get()
+      .then(async (response: AjaxResponse): Promise<ResponseInterface> => {
+        return await response.resolve();
+      });
   }
 
   /**

Build/Sources/TypeScript/backend/form-engine/element/mfa-info-element.ts

@@ -18,6 +18,7 @@ import Notification from '@typo3/backend/notification';
 import Modal from '@typo3/backend/modal';
 import { SeverityEnum } from '@typo3/backend/enum/severity';
 import { selector } from '@typo3/core/literals';
+import { sudoModeInterceptor } from '@typo3/backend/security/sudo-mode-interceptor';
 import type { AjaxResponse } from '@typo3/core/ajax/ajax-response';
 
 interface FieldOptions {
@@ -110,7 +111,7 @@ class MfaInfoElement {
     if (this.request instanceof AjaxRequest) {
       this.request.abort();
     }
-    this.request = (new AjaxRequest(TYPO3.settings.ajaxUrls.mfa));
+    this.request = (new AjaxRequest(TYPO3.settings.ajaxUrls.mfa)).addMiddleware(sudoModeInterceptor);
     this.request.post({
       action: 'deactivate',
       provider: provider,

Build/Sources/TypeScript/backend/recordlist.ts

@@ -21,6 +21,7 @@ import type { ActionConfiguration, ActionEventDetails } from '@typo3/backend/mul
 import Notification from '@typo3/backend/notification';
 import AjaxRequest from '@typo3/core/ajax/ajax-request';
 import { AjaxResponse } from '@typo3/core/ajax/ajax-response';
+import { sudoModeInterceptor } from '@typo3/backend/security/sudo-mode-interceptor';
 
 interface IconIdentifier {
   collapse: string;
@@ -226,7 +227,7 @@ class Recordlist {
     const isVisible = target.dataset.datahandlerStatus === 'visible';
     const targetAction = isVisible ? 'hide' : 'show';
 
-    new AjaxRequest(TYPO3.settings.ajaxUrls.record_toggle_visibility).post({
+    new AjaxRequest(TYPO3.settings.ajaxUrls.record_toggle_visibility).addMiddleware(sudoModeInterceptor).post({
       table: table,
       uid: uid,
       action: targetAction,

Build/Sources/TypeScript/backend/security/element/sudo-mode.ts

@@ -45,6 +45,7 @@ interface Labels {
 abstract class SudoModeProperties extends LitElement {
   @property({ type: String }) verifyActionUri: string;
   @property({ type: String }) cancelUri: string;
+  @property({ type: Boolean }) isAjax: boolean;
   @property({ type: Boolean, attribute: 'has-fatal-error' }) hasFatalError: boolean;
   @property({ type: Boolean, attribute: 'allow-install-tool-password' }) allowInstallToolPassword: boolean;
   @property({ type: Object }) labels: Labels;
@@ -115,6 +116,7 @@ export class SudoMode extends SudoModeProperties {
           .labels=${this.labels}
           .verifyActionUri=${this.verifyActionUri}
           .cancelUri=${this.cancelUri}
+          .isAjax=${this.isAjax}
           .hasFatalError=${this.hasFatalError}
           .allowInstallToolPassword=${this.allowInstallToolPassword}
           @typo3:sudo-mode:verified=${() => this.dispatchEvent(new Event('typo3:sudo-mode:verified'))}
@@ -208,7 +210,7 @@ export class SudoModeForm extends SudoModeProperties {
       const responseData: SudoModeResponse = await response.resolve('application/json');
       this.dispatchEvent(new Event('typo3:sudo-mode:verified'));
       this.closest('typo3-backend-modal').hideModal();
-      if (responseData.redirect) {
+      if (!this.isAjax && responseData.redirect) {
         Viewport.ContentContainer.setUrl(responseData.redirect.uri);
       }
     } catch (e: unknown) {

Build/Sources/TypeScript/backend/security/sudo-mode-interceptor.ts

@@ -0,0 +1,19 @@
+import type { RequestMiddleware, RequestHandler } from '@typo3/core/ajax/ajax-request-types';
+
+export const sudoModeInterceptor: RequestMiddleware = async (request: Request, next: RequestHandler): Promise<Response> => {
+  // Requests are not immutable, therefore we clone to be able to re-submit exactly the same request later on
+  const requestClone = request.clone();
+  const response = await next(request);
+  if (response.status === 422) {
+    const { initiateSudoModeModal } = await import('@typo3/backend/security/element/sudo-mode');
+    const data = await response.json();
+    try {
+      await initiateSudoModeModal(data.sudoModeInitialization);
+    } catch {
+      // sudo mode was aborted
+      return response;
+    }
+    return next(requestClone);
+  }
+  return response;
+};

Build/Sources/TypeScript/core/ajax/ajax-request-types.ts

@@ -0,0 +1,15 @@
+/*
+ * This file is part of the TYPO3 CMS project.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ *
+ * For the full copyright and license information, please read the
+ * LICENSE.txt file that was distributed with this source code.
+ *
+ * The TYPO3 project - inspiring people to share!
+ */
+
+export type RequestHandler = (request: Request) => Promise<Response>;
+export type RequestMiddleware = (request: Request, next: RequestHandler) => Promise<Response>;

Build/Sources/TypeScript/core/ajax/ajax-request.ts

@@ -13,6 +13,7 @@
 
 import { AjaxResponse } from '@typo3/core/ajax/ajax-response';
 import { InputTransformer, type GenericKeyValue } from './input-transformer';
+import type { RequestMiddleware, RequestHandler } from '@typo3/core/ajax/ajax-request-types';
 
 /**
  * @example send data as `Content-Type: multipart/form-data` (default)
@@ -36,10 +37,12 @@ class AjaxRequest {
 
   private readonly url: URL;
   private readonly abortController: AbortController;
+  private fetch: RequestHandler;
 
   constructor(url: URL|string) {
     this.url = url instanceof URL ? url : new URL(url, window.location.origin + window.location.pathname);
     this.abortController = new AbortController();
+    this.fetch = (request: Request) => fetch(request);
   }
 
   /**
@@ -141,6 +144,25 @@ class AjaxRequest {
     this.abortController.abort();
   }
 
+  /**
+   * Adds an outer middleware around the fetch invocation.
+   * Previous registered middlewares are handled after
+   * the one(s) that is/are added here.
+   *
+   * @param {RequestMiddleware | RequestMiddleware[]} middleware
+   * @return {AjaxRequest}
+   */
+  public addMiddleware(middleware: RequestMiddleware | RequestMiddleware[]): AjaxRequest {
+    if (Array.isArray(middleware)) {
+      middleware.forEach(middleware => this.addMiddleware(middleware));
+      return this;
+    }
+
+    const next = this.fetch;
+    this.fetch = (request: Request) => middleware(request, next);
+    return this;
+  }
+
   /**
    * Clones the current AjaxRequest object
    *
@@ -157,7 +179,7 @@ class AjaxRequest {
    * @return {Promise<Response>}
    */
   private async send(init: RequestInit = {}): Promise<Response> {
-    const response = await fetch(this.url, this.getMergedOptions(init));
+    const response = await this.fetch(new Request(this.url, this.getMergedOptions(init)));
     if (!response.ok) {
       throw new AjaxResponse(response);
     }

Build/Sources/TypeScript/core/tests/ajax/ajax-request-test.ts

@@ -42,12 +42,12 @@ describe('@typo3/core/ajax/ajax-request', (): void => {
 
   it('sends GET request', (): void => {
     (new AjaxRequest('https://example.com')).get();
-    expect(fetchStub).calledWithMatch(new URL('https://example.com/'), { method: 'GET' });
+    expect(fetchStub).calledWithMatch(new Request('https://example.com/', { method: 'GET' }));
   });
 
   it('sends POST request with empty object', (): void => {
     (new AjaxRequest('https://example.com')).post({});
-    expect(fetchStub).calledWithMatch(new URL('https://example.com/'), { method: 'POST', body: '' });
+    expect(fetchStub).calledWithMatch(new Request('https://example.com/', { method: 'POST', body: '' }));
   });
 
   for (const requestMethod of ['POST', 'PUT', 'DELETE']) {
@@ -92,7 +92,7 @@ describe('@typo3/core/ajax/ajax-request', (): void => {
         it(`with ${name}`, (done): void => {
           const request: any = (new AjaxRequest('https://example.com'));
           request[requestFn](payload, { headers: headers });
-          expect(fetchStub).calledWithMatch(new URL('https://example.com/'), { method: requestMethod, body: expectedFn() });
+          expect(fetchStub).calledWithMatch(new Request('https://example.com/', { method: requestMethod, body: expectedFn() }));
           done();
         });
       }
@@ -138,7 +138,7 @@ describe('@typo3/core/ajax/ajax-request', (): void => {
 
         (new AjaxRequest(new URL('https://example.com'))).get().then(async (response: AjaxResponse): Promise<void> => {
           const data = await response.resolve();
-          expect(fetchStub).calledWithMatch(new URL('https://example.com/'), { method: 'GET' });
+          expect(fetchStub).calledWithMatch(new Request('https://example.com/', { method: 'GET' }));
           onfulfill(data, responseText);
           done();
         });
@@ -196,7 +196,7 @@ describe('@typo3/core/ajax/ajax-request', (): void => {
       const [name, input, queryParameter, expected] = providedData;
       it('with ' + name, (): void => {
         (new AjaxRequest(input)).withQueryArguments(queryParameter).get();
-        expect(fetchStub).calledWithMatch(expected, { method: 'GET' });
+        expect(fetchStub).calledWithMatch(new Request(expected.toString(), { method: 'GET' }));
       });
     }
   });
@@ -265,7 +265,7 @@ describe('@typo3/core/ajax/ajax-request', (): void => {
       const [name, input, expected] = providedData;
       it('with ' + name, (): void => {
         (new AjaxRequest('https://example.com/')).withQueryArguments(input).get();
-        expect(fetchStub).calledWithMatch(expected, { method: 'GET' });
+        expect(fetchStub).calledWithMatch(new Request(expected.toString(), { method: 'GET' }));
       });
     }
   });
@@ -275,7 +275,7 @@ describe('@typo3/core/ajax/ajax-request', (): void => {
       const request = new AjaxRequest(new URL('https://example.com'));
       request.get();
       request.abort();
-      expect((fetchStub.firstCall.args[1].signal as AbortSignal).aborted).to.be.true;
+      expect((fetchStub.firstCall.args[0] as Request).signal.aborted).to.be.true;
     });
 
     it('via signal option', (): void => {
@@ -284,7 +284,7 @@ describe('@typo3/core/ajax/ajax-request', (): void => {
       request.get({ signal: abortController.signal });
       abortController.abort();
       expect(abortController.signal.aborted).to.be.true;
-      expect((fetchStub.firstCall.args[1].signal as AbortSignal).aborted).to.be.true;
+      expect((fetchStub.firstCall.args[0] as Request).signal.aborted).to.be.true;
     });
   });
 });

typo3/sysext/backend/Classes/Controller/RecordListController.php

@@ -29,6 +29,7 @@
 use TYPO3\CMS\Backend\Routing\Exception\RouteNotFoundException;
 use TYPO3\CMS\Backend\Routing\PreviewUriBuilder;
 use TYPO3\CMS\Backend\Routing\UriBuilder;
+use TYPO3\CMS\Backend\Security\SudoMode\Exception\VerificationRequiredException;
 use TYPO3\CMS\Backend\Template\Components\ButtonBar;
 use TYPO3\CMS\Backend\Template\Components\Buttons\DropDown\DropDownItemInterface;
 use TYPO3\CMS\Backend\Template\Components\Buttons\DropDown\DropDownToggle;
@@ -313,6 +314,9 @@ public function toggleRecordVisibilityAction(ServerRequestInterface $request): R
                     $response['hasErrors'] = true;
                 }
             }
+        } catch (VerificationRequiredException $e) {
+            // Handled by Middleware/SudoModeInterceptor
+            throw $e;
         } catch (\Throwable $e) {
             // @todo: having this explicit handling here sucks
             $response = [

typo3/sysext/backend/Classes/Controller/Security/SudoModeController.php

@@ -90,9 +90,12 @@ public function moduleAction(ServerRequestInterface $request): ResponseInterface
             return $this->redirectToErrorAction();
         }
 
+        $labels = $this->getLanguageService()->getLabelsFromResource('EXT:backend/Resources/Private/Language/SudoMode.xlf');
+
         $view = $this->moduleTemplateFactory->create($request);
         $view->assignMultiple([
             'verifyActionUri' => $this->buildVerifyActionUriForClaim($claim),
+            'allowInstallToolPassword' => $this->getBackendUser()->isSystemMaintainer(true),
             'labels' => $this->getLanguageService()->getLabelsFromResource('EXT:backend/Resources/Private/Language/SudoMode.xlf'),
         ]);
         return $view->renderResponse('SudoMode/Module');
@@ -140,6 +143,10 @@ public function verifyAction(ServerRequestInterface $request): ResponseInterface
 
         $password = (string)($request->getParsedBody()['password'] ?? '');
         $useInstallToolPassword = (bool)($request->getParsedBody()['useInstallToolPassword'] ?? false);
+        // Only system maintainers are allowed to use the installtool password for sudo mode operations
+        if (!$GLOBALS['BE_USER']->isSystemMaintainer(true)) {
+            $useInstallToolPassword = false;
+        }
         $loggerContext = $this->buildLoggerContext($claim);
 
         $redirect = [
@@ -196,8 +203,10 @@ private function resolveClaimFromRequest(ServerRequestInterface $request, string
 
     private function grantClaim(AccessClaim $claim): void
     {
-        $grant = $this->factory->buildGrantForSubject($claim->subject);
-        $this->storage->addGrant($grant);
+        foreach ($claim->subjects as $subject) {
+            $grant = $this->factory->buildGrantForSubject($subject);
+            $this->storage->addGrant($grant);
+        }
     }
 
     /**