TYPO3-CORE-SA-2019-011: Security Misconfiguration in User Session Handling

Categories: Development Created by Oliver Hader
It has been discovered, that TYPO3 CMS is susceptible to security misconfiguration.
  • Component Type: TYPO3 CMS
  • Vulnerable subcomponent: User Session Handling (ext:core)
  • Release Date: May 7, 2019
  • Vulnerability Type: Security Misconfiguration
  • Affected Versions: 8.0.0-8.7.24 and 9.0.0-9.5.5
  • Severity: Medium
  • Suggested CVSS v3.0: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C
  • CVE: not assigned yet

Problem Description

When users change their password existing sessions for that particular user account are not revoked. A valid backend or frontend user account is required in order to make use of this vulnerability.

Solution

Update to TYPO3 versions 8.7.25 or 9.5.6 that fix the problem described.

Maintainers of TYPO3 extensions are advised to revoke sessions on password change

When 3rd party extensions handle the process of changing account passwords individually it is advised to invalidate all sessions for that particular user account like shown in the following example.

$sessionManager = GeneralUtility::makeInstance(SessionManager::class);
$sessionBackend = $sessionManager->getSessionBackend('FE');
$sessionManager->invalidateAllSessionsByUserId($sessionBackend, (int)$id, $GLOBALS['TSFE']->fe_user);

Find more details at https://docs.typo3.org/typo3cms/extensions/core/latest/Changelog/8.7.x/Important-87298-DestroySessionsOnPasswordChange.html

Credits

Thanks to Maxime Wehrlin (Capgemini France) who reported this issue and to TYPO3 core merger Frank Nägler who fixed the issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security related code changes are tagged so that you can easily look them up in our review system.