[TYPO3-core] Fwd: [TYPO3-dev] Improvement against SQL injections

Michael Stucki michael at typo3.org
Mon Jun 18 13:37:36 CEST 2007 

Hi all,

I have been asked by Lars if I could forward his message to this list. So here 
it is. Please keep in mind to not start any discussion about it in here but 
in the dev list (= public discussion) instead.

Thanks!
- michael

--------------- Weitergeleitete Nachricht (Anfang)

Betreff: [TYPO3-dev] Improvement against SQL injections
Absender: Lars Houmark <lars at typo3.org>
Datum: Fri, 15 Jun 2007 20:48:27 +0200
Newsgruppe: typo3.dev

Hello developers - especially core team,

We have recently seen a rather big threat with macina_banners, using  
simple SQL injections to gain backend access.

That made me start thinking about how to improve the backend against  
exploits where modifications to the be_users table has been done by  
the evil person.

Here is my idea:

We need a new file. Suggestion for filename: checksums.php - placed  
in the typo3conf folder.

This file holds an array with a checksum of all be_users where the  
checksum is created from the fields; username, password, admin,  
usergroup, disable, tstamp and maybe some others. This checksum is  
being evaluated everytime a login is done. If the checksum is correct  
the user is logged in. If not, well, no login. This is logged and  
maybe a warning email like the admin login warning is sent.

When a user is created or modified, this array is updated, so that  
the checksum is correct.

Why all this?

Well. When an evil person is using an exploit, he gain access to  
modify rows in the database. An simple insert query can add another  
backend user, which is admin!!! (only a 1 is needed in the field admin).

By having a simple file, with this array with checksums, this is no  
longer possible. We think that the macina_banners case used exactly  
this method and gave the evil person a very extensive access to the  
actual installation.

These modifications is pretty simple. Only modifications to the add/ 
edit core functions for users is needed. Of course the constant  
syncing of the checksum array needs to be pretty intelligent, but  
hey... You are intelligent guys ;). Besides that some initial  
creation of the file and array is needed for users updating from  
older versions.

We have discussed this on the security list and feel this will secure  
TYPO3 in a new dimension, cutting of the evil hackers way of gaining  
the backend access.

Maybe you think the file method is not very nifty, but if you have  
any other smart way of getting the same done, please enlighten us ;)

I an see only positive things about using the file. Cross platform  
compatible. Very well tested. Completely separated from the database.  
Why a new file and not just use the localconf.php? Well. Remember the  
localconf bug? ;) Also the localconf.php is thought of as a file that  
can be manually edited by advanced users. This way they may modify  
this checksum array - maybe by mistake, locking themself and maybe  
everyone else out of the installation. The file should be documented  
in such way that it is DO NOT EDIT!

I would very much like to see this implemented very soon. I feel this  
is very much going to secure TYPO3 on a new level, because right now,  
it is actually very easy to get backend access, if one can find just  
one simple SQL injection.

If I am talking all gibberish - then please tell me, and I will try  
to explain myself better ;)

Have a nice weekend...

Regards,

Lars Houmark
lars at typo3.org

Team Leader of the TYPO3 Security Team

--------------- Weitergeleitete Nachricht (Ende)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.netfielders.de/pipermail/typo3-team-core/attachments/20070618/8cab1a75/attachment.pgp

More information about the TYPO3-team-core mailing list