[TYPO3-core] RFC #16223 : Bugfix : Failed backend userlogins are not written to syslog using saltedpasswords
Bjoern Pedersen
bjoern.pedersen at frm2.tum.de
Fri Mar 18 09:12:59 CET 2011
> The logging functions in saltedpasswords are not able to log failed
> backend userlogins to TYPO3´s syslog, because the inherited
> writelog-function gets overridden by a local function. As a result, no
> notification e-mail is sent to [warning_email_addr] when a backend user
> has multiple failed login attempts. A remote “attacker” could try to
> login to a TYPO3 installations backend numerous of times without being
> noticed (no log entry and no warning-email if configured).
Almost correct. The base class log function is calles "writelog" (all
lower case), the additional log function in saltedpasswords "writeLog"
(camel case, first word lower case). So it should be enough to add calls
to $this->writelog... (lower case).
Björn
PS: TYPO3 changed their patch submission to git/gerrit
see
http://forge.typo3.org/projects/team-forge/wiki/Working_with_Git_and_Gerrit.
More information about the TYPO3-team-core
mailing list