Miggo Logo

CVE-2009-0256: Authentication library in TYPO3 vulnerable to session fixation

7.5

CVSS Score

Basic Information

EPSS Score
0.74821%
Published
5/2/2022
Updated
1/23/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:P/I:P/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
typo3/cmscomposer>= 4.0.0, <= 4.0.94.0.10
typo3/cmscomposer>= 4.1.0, <= 4.1.74.1.8
typo3/cmscomposer>= 4.2.0, <= 4.2.34.2.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from TYPO3's failure to regenerate session IDs during authentication (CWE-384). Session fixation occurs when the system accepts an attacker-provided session ID without invalidation. The core authentication classes (AbstractUserAuthentication and its Frontend/Backend implementations) are responsible for session management. The start() method initializes sessions, while handleLogin() processes authentication. In vulnerable versions, these functions did not include session_regenerate_id() calls or equivalent protections after successful authentication, allowing session identifiers to persist across login events. This matches the CWE-384 pattern and the advisory's description of frontend/backend authentication vectors.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

S*ssion *ix*tion vuln*r**ility in t** *ut**nti**tion li*r*ry in TYPO* *.*.* t*rou** *.*.*, *.*.* t*rou** *.*.*, *n* *.*.* t*rou** *.*.* *llows r*mot* *tt**k*rs to *ij**k w** s*ssions vi* unsp**i*i** v**tors r*l*t** to (*) *ront*n* *n* (*) ***k*n* *ut

Reasoning

T** vuln*r**ility st*ms *rom TYPO*'s **ilur* to r***n*r*t* s*ssion I*s *urin* *ut**nti**tion (*W*-***). S*ssion *ix*tion o**urs w**n t** syst*m ****pts *n *tt**k*r-provi*** s*ssion I* wit*out inv*li**tion. T** *or* *ut**nti**tion *l*ss*s (**str**tUs*