Skip to content

Gain BE access using old passwords

It is possible to gain a backend session using a password, which is not matching the requirements.

Steps to reproduce

  1. Force a be user to reset the password (tx_besecurepw_lastpwchange => 0)
  2. Login with the old password
  3. The user gets redirected to user settings modul and gets the message "Your password expired"
  4. Set a weak password and save the settings (for example test123)
  5. An error message occurs, that the password does not match the requirements.
  6. The user gets redirected to the normal TYPO3 BE
  7. Log out
  8. Try to login again with the weak password => Login fails
  9. Try to login again with the old password => Login works. The db field tx_besecurepw_lastpwchange is filled with the timestamp of the password change.

System

  • TYPO3: V11.5
  • php: 7.4
  • EXT:be_secure_pw: 10.1.2
Edited by Marcus Schwemer
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information