[TYPO3-dev] Services architecture

Steffen Ritter info at rs-websystems.de
Thu Mar 24 11:50:04 CET 2011 

Am 24.03.2011 11:40, schrieb Dmitry Dulepov:
> Hi!
>
> Steffen Ritter wrote:
>> As already pointed out I see no difference if you inject some code just
>> reading a variable, or calling some more lines and decrypting it with
>> rsaauth itself
>
> If I remember correctly, you cannot get the password from rsaauth, there
> is no such API or function. It is possible to imitate rsaauth by
> copy/paste code but that it is the problem of open source code. And it
> is more difficult.
>
> Reading a variable is easier, it is one line. Easier to read – easier to
> create. Only government hackers do complex break-ins. Individuals
> usually try something simple and switch to another site (unless they
> were paid to break into exactly this site).
>
To be Honest...

if ($this->pObj->security_level == 'rsa' && 
t3lib_extMgm::isLoaded('rsaauth')) {
			require_once(t3lib_extMgm::extPath('rsaauth') . 
'sv1/backends/class.tx_rsaauth_backendfactory.php');
			require_once(t3lib_extMgm::extPath('rsaauth') . 
'sv1/storage/class.tx_rsaauth_storagefactory.php');

			$backend = tx_rsaauth_backendfactory::getBackend();
			$storage = tx_rsaauth_storagefactory::getStorage();
				// Preprocess the password
			$password = $this->login['uident'];
			$key = $storage->get();
			if ($key != NULL && substr($password, 0, 4) == 'rsa:') {
				// Decode password and pass to parent
				$decryptedPassword = $backend->decrypt($key, substr($password, 4));
			}
		}


else {
$decryptedPassword = $this->login['uident_text'];
}


is the code of saltedpasswords and all you would need...

if we would use a proper chaining the first "if" part could be removed 
and we only would need the else branch.

Everyone who wants to break in easily into typo3 just could copy this 
code, without needing anything about thinking.

therefore the task should be, check if the "login" array is available 
via a global var... as long as this is the case ANYthing is not secured.
as long it is only available within authservices (array in tsfe marked 
private), a proper chaining just would "cleanup" the code.

regards

Steffen

More information about the TYPO3-dev mailing list