Global site selector authentication bypass

We discussed this vulnerability during Episode 237 on 28 January 2024

I had to go commit surfing to try and figure this out out as there is no write-up, but looking at the fix commit what I found is a bit of an interesting logic mistake.

The first thing to notice is a bit of weird login, on lines 181-185 there is a check that basically if a password is provided, do a normal userSession->login(...) but if no password is provided, then it fixes the $result to true. That is a bit suspicious to my eye, but it seems the intent is that when using a SAML backend for the login process no password will be provided. Just before this code is a check and function call just for that. The problem is that when they choose to skip validating the password, they don’t ensure SAML was actually used so by providing a blank password one could bypass authentication.

As a bit of a disclaimer though, it is reading the User ID, Password and some options from a JWT, I’m not sure exactly how this JWT is created but it easy to imagine that an attacker does have a decent amount of control over the relevant values for obvious reasons.