Typo3 updates patch holes
The Typo3 developers have released versions 4.3.1 and 4.2.11 of their open source CMS software to fix numerous flaws. In version 4.3.1, the developers also closed a security hole in the OpenID extension; however, this extension is not enabled by default.
The hole allows attackers to trick the authentication mechanism and log into the CMS at another user's privilege level by entering someone else's ID. However, several conditions are required for an attack to be successful. For instance, the victim must have an OpenID, the attacker must reportedly also have an OpenID from the same provider and the attacker must know the victim's OpenID. Furthermore, the provider's authentication process must allow a submitted ID entry to be discarded and an alternative ID to be chosen for authentication.
Testing will reveal how easy it is to fulfil these criteria. According to the developers, however, at least one major OpenID provider exhibits such behaviour. The developers, therefore, rate the hole as a high security risk and recommend that users whose CMS uses OpenID should update their systems.
See also:
- Authentication Bypass in TYPO3 Core, security advisory from Typo3.
(crve)