ASA-2019-00019 – TYPO3: Security misconfiguration for backend user accounts


Allele Security Alert

ASA-2019-00019

Identifier(s)

ASA-2019-00019, TYPO3-CORE-SA-2019-002

Title

Security misconfiguration for backend user accounts

Vendor(s)

TYPO3

Product(s)

TYPO3 CMS

Affected version(s)

TYPO3 CMS versions 8.0.0 up to 8.7.22
TYPO3 CMS versions 9.0.0 up to 9.5.3

Fixed version(s)

TYPO3 CMS version 8.7.23
TYPO3 CMS version 9.5.4

Proof of concept

Unknown

Description

When using the TYPO3 backend in order to create new backend user accounts, database records containing insecure or empty credentials might be persisted. When the type of user account is changed – which might be entity type or the admin flag for backend users – the backend form is reloaded in order to reflect changed configuration possibilities. However, this leads to persisting the current state as well, which can result into some of the following:

  • account contains empty login credentials (username and/or password)
  • account is incomplete and contains weak credentials (username and/or password)

Albeit the functionality provided by the TYPO3 core cannot be used either with empty usernames or empty passwords, it still can be a severe vulnerability to custom authentication service implementations.

Technical details

Unknown

Credits

Oliver Eglseder and Benni Mack (TYPO3 core team)

Reference(s)

TYPO3-CORE-SA-2019-002: Security Misconfiguration for Backend User Accounts
https://typo3.org/security/advisory/typo3-core-sa-2019-002/

TYPO3 9.5.4 and 8.7.23 security releases published
https://typo3.org/article/typo3-954-and-8723-security-releases-published/

[TYPO3-announce] Announcing TYPO3 v9.5.4 and v8.7.23 security releases
http://lists.typo3.org/pipermail/typo3-announce/2019/000437.html

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: May 10, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.