[TYPO3-core] Access denied for old security bug
Christian Weiske
christian.weiske at netresearch.de
Fri Jun 21 13:05:05 CEST 2013
Hello Dmitry,
> > If I know the OpenID of a TYPO3 user, I can log in with *any* google
> > account, if it belongs to this OpenID or not.
>
> The ID of the authenticated user was a
> string of random characters. So it seems like we cannot authenticate
> with Google at all because it does not provide the information about
> the user. Dead end :(
This string (the full claimed_id) is all we need.
This URL must be in the user's backend user OpenID field, and all is
fine: We run the OpenID auth process and get the claimed_id. Then we
look it up in the user table and if we find it, the user is logged in.
Fin.
Btw, we're just as of this moment working on a backend user wizard to
add the OpenID - which takes care of the problem that the user does not
know his Google OpenID in advance.
--
Regards/Mit freundlichen Grüßen
Christian Weiske
-= Geeking around in the name of science since 1982 =-
More information about the TYPO3-team-core
mailing list