Bug #19831: Session fixation vulnerability in user authentication - Core - TYPO3 Forge

Core Indexed Search Linkvalidator Release Cycles Team Resources Workspaces & Versioning TYPO3 CMS Usability Team Community Extensions Distributions Feature-Requests TYPO3 6.2 Projects (+)(Archived Projects)

Bug #19831

Session fixation vulnerability in user authentication

Added by Marcus Krause over 6 years ago. Updated over 6 years ago.

Status:

Resolved

Start date:

2009-01-15

Priority:

Must have

Due date:

Assigned To:

Marcus Krause

% Done:

Category:

Spent time:

Target version:

TYPO3 Version:

4.0

Is Regression:

PHP Version:

5.2

Sprint Focus:

Complexity:

Description

references TYPO3 Security Team OTRS issue #2008102610000015

Versions:
4.0 up to trunk (4.0, 4.1, 4.2, trunk)

Problem:
Session IDs are reused by TYPO3 even when they not yet exist in the db but are submitted by a client.

Solution:
Check if there's a session record in the database before using submitted session ids.

Provided by TYPO3 Security Team
(issue imported from #M10146)

10146.diff (1.4 kB) Administrator Admin, 2009-01-15 06:12

10146_trunk_v1.diff (1.2 kB) Administrator Admin, 2009-01-18 17:25

Related issues

related to Core - Bug #19880: Patch 10146 in Version 4.2.4 does not work for me. None o...	Resolved	2009-01-21
related to Core - Bug #19867: DB session records are only created when users authenticate	Resolved	2009-01-20
related to Core - Bug #19879: after upgrade from 4.1.7 to 4.1.8 feusers and beusers hav...	Resolved	2009-01-21
related to Core - Bug #19874: Typo3 4.1.8: fe_session_data regression due to session fi...	Resolved	2009-01-21
related to Core - Bug #19908: session fixation fix avoid BE login	Resolved	2009-01-25
related to Core - Bug #20424: Built In shopping basket is not working	Closed	2009-05-14
related to Core - Bug #20290: Adding entries to recs[]-Array not working	Resolved	2009-04-07

History

#1 Updated by Marcus Krause over 6 years ago

The first patch is for trunk only as it makes use of newly added function exec_SELECTcountRows(), the other one is for 4-0 up to 4-2 where the row counting is down the old way.

ready to be committed

#2 Updated by Marcus Krause over 6 years ago

adding new patch 10146_trunk_v1.diff which replaces variablename $dbres by $count as requested by Francois

#3 Updated by Ingmar Schlecht over 6 years ago

Committed to 4.0, 4.1, 4.2 and trunk.

Also available in: Atom PDF

Core

Issues

Custom queries