LDAP / SSO Authentication ig_ldap_sso_auth with security vulnerability

Due to a security vulnerability in the TYPO3 extension ig_ldap_sso_auth, the first security bulletin for 2015 was sent out today. Version 2.0.0 is vulnerable to unauthorized authentication.

Affected version: 2.0.0

Security risk: Critical

Solution: Update to latest version 2.0.1

It is currently unclear why the security bulletin was only sent out today. Version 2.0.1 is already available in the TER since 12/19/2014.

Download of the TYPO3 extension

 

TYPO3 and LDAP
The connection to a LDAP (Lightweight Directory Access Protocol) directory service allows frontend users (FE-Users) and backend (BE-Users) users to use the same password for TYPO3 as for other services or at the workstation. If the password is changed at a central location, all logins of the different systems are updated in one go. LDAP is therefore mainly used by larger companies with a corresponding technical infrastructure.

The TYPO3 extension ig_ldap_sso_auth additionally enables Single Sign-On (SSO). This functionality allows users to switch to another system after a successful login to one system, without re-authentication. With ig_ldap_sso_auth a MS Windows server can be requested in the background. For this the NTLM authentication is needed as Apache2 module on the server.