[TYPO3-core] Access denied for old security bug
Helmut Hummel
helmut.hummel at typo3.org
Thu Jun 20 23:48:30 CEST 2013
Hi!
On 20.06.13 11:57, Dmitry Dulepov wrote:
> Helmut Hummel wrote:
>> Nice idea to do it this way, unfortunately, this would introduce a
>> severe security problem. Please read my comment in Gerrit.
>
> Read your comments. Found nothing about *security* issue. Could you explain
> better? I thought carefully about the solution before pushing it.
It basically re-introduces the vulnerability we fixed before[1][2].
If I know the OpenID of a TYPO3 user, I can log in with *any* google
account, if it belongs to this OpenID or not.
Kind regards,
Helmut
[1]http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-sa-2010-001/
[2]https://git.typo3.org/Packages/TYPO3.CMS.git/commit/275af93acf617eee3b189b567289a58b70794c26
--
Helmut Hummel
Release Manager TYPO3 6.0
TYPO3 Core Developer, TYPO3 Security Team Member
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-team-core
mailing list