[TYPO3-dev] Services architecture

[Dmitry Dulepov]

Hi!

Christian Lerrahn wrote:
> Yes. To a degree I can understand that. But then again, if you cannot
> trust the services and the core, you have a problem, anyway, right.

Services can be injected by any extension. They are not limited to the 
core. You never know what is installed. With all those regular ftp hacks 
around it takes very little effort to install a service extension and 
capture decrypted passwords if rsaauth would post them in clear text to 
global variables.

> After all, if I can inject a service to read the password after it has
> been decrypted by rsaauth, I can alos inject a service which comes in
> before rsaauth and just calls rsaauth for decryption.

You will be able to authenticate the user if all keys and data exist in the 
system. But you will not get the password.

> I don't really see an increased security risk if not caused by an
> additional buggy service. However, if I add a buggy service to my
> TYPO3 install, I have compromised security even if rsaauth is careful.

It is not about "buggy". It is about "specially crafted malware" service.

> So, I can't see how the risk becomes any more significant as a result of
> passing the decrypted password on to the remaining service chain.

Get the username and password and post or mail it some Chinese server. That 
happened a lot with various system in recent months.

> It is a call to rsaauth but it checks first if the password is rsaauth
> encrypted or not. Calling it a duplicate probably went a bit too far ut
> even a call results in the fragility I outlined in my original post.

I do not see issues with this approach. Extra knowledge is not good but it 
is not fatal or even critical.

-- 
Dmitry Dulepov
TYPO3 core&security team member
E-mail: dmitry.dulepov at typo3.org
Web: http://dmitry-dulepov.com/