[TYPO3-dev] Services architecture
Christian Lerrahn
typo3 at penpal4u.net
Thu Mar 24 09:36:52 CET 2011
On Thu, 24 Mar 2011 10:29:53 +0200
Dmitry Dulepov <dmitry.dulepov at gmail.com> wrote:
> Hi!
>
> Christian Lerrahn (Cerebrum) wrote:
> > Now, I was rather puzzled (and to be honest a bit shocked) when I
> > found out that rsaauth calls the basic authentication services
> > again instead of just exiting to pass the decrypted password down
> > the chain.
>
> You never know who is watching for the decrypted password. The safer
> way was to call the basic auth from the rsaauth. In that case clear
> text password only visible to those to whom it is necessary.
Yes. To a degree I can understand that. But then again, if you cannot
trust the services and the core, you have a problem, anyway, right.
After all, if I can inject a service to read the password after it has
been decrypted by rsaauth, I can alos inject a service which comes in
before rsaauth and just calls rsaauth for decryption.
I don't really see an increased security risk if not caused by an
additional buggy service. However, if I add a buggy service to my
TYPO3 install, I have compromised security even if rsaauth is careful.
So, I can't see how the risk becomes any more significant as a result of
passing the decrypted password on to the remaining service chain.
> > This gets even worse when saltedpasswords duplicates rsaauth code to
> > decrypt the password before it checks it against the stored password
> > hash.
>
> I never reviewed the code of that extension, so I cannot comment. Is
> it really a duplicate or it is a call to rsaauth?
>
It is a call to rsaauth but it checks first if the password is rsaauth
encrypted or not. Calling it a duplicate probably went a bit too far ut
even a call results in the fragility I outlined in my original post.
Cheers,
Christian
More information about the TYPO3-dev
mailing list