Invalidate the user sessions if a password changes (see CVE-2019-10641)

Author: leofeyer

system/docs/CHANGELOG.md

@@ -1,6 +1,13 @@
 Contao Open Source CMS changelog
 ================================
 
+Version 3.5.39 (2019-04-XX)
+---------------------------
+
+### Fixed
+Invalidate the user sessions if a password changes (see CVE-2019-10641).
+
+
 Version 3.5.38 (2018-12-21)
 ---------------------------
 

system/modules/core/dca/tl_member.php

@@ -608,6 +608,10 @@ public function setNewPassword($strPassword, $user)
 			}
 		}
 
+		// Invalidate the user sessions if the password changes
+		$this->Database->prepare("DELETE FROM tl_session WHERE name='FE_USER_AUTH' AND pid=? AND sessionID!=?")
+					   ->execute($user->id, session_id());
+
 		return $strPassword;
 	}
 

system/modules/core/dca/tl_user.php

@@ -242,6 +242,10 @@
 			'exclude'                 => true,
 			'inputType'               => 'password',
 			'eval'                    => array('mandatory'=>true, 'preserveTags'=>true, 'minlength'=>Config::get('minPasswordLength')),
+			'save_callback' => array
+			(
+				array('tl_user', 'invalidateSessions')
+			),
 			'sql'                     => "varchar(128) NOT NULL default ''"
 		),
 		'pwChange' => array
@@ -732,6 +736,26 @@ public function checkAdminStatus($varValue, DataContainer $dc)
 	}
 
 
+	/**
+	 * Invalidate the user sessions if the password changes
+	 *
+	 * The password widget only triggers the save_callback if the password has actually
+	 * changed, therefore we do not need to check the active record here.
+	 *
+	 * @param mixed         $varValue
+	 * @param DataContainer $dc
+	 *
+	 * @return mixed
+	 */
+	public function invalidateSessions($varValue, DataContainer $dc)
+	{
+		$this->Database->prepare("DELETE FROM tl_session WHERE name='BE_USER_AUTH' AND pid=? AND sessionID!=?")
+					   ->execute($dc->id, session_id());
+
+		return $varValue;
+	}
+
+
 	/**
 	 * Prevent administrators from disabling their own account
 	 *

system/modules/core/modules/ModuleChangePassword.php

@@ -186,6 +186,10 @@ protected function compile()
 				}
 			}
 
+			// Invalidate the user sessions if the password changes
+			$this->Database->prepare("DELETE FROM tl_session WHERE name='FE_USER_AUTH' AND pid=? AND sessionID!=?")
+						   ->execute($objMember->id, session_id());
+
 			// Check whether there is a jumpTo page
 			if (($objJumpTo = $this->objModel->getRelated('jumpTo')) !== null)
 			{

system/modules/core/modules/ModulePassword.php

@@ -254,6 +254,10 @@ protected function setNewPassword()
 					}
 				}
 
+				// Invalidate the user sessions if the password changes
+				$this->Database->prepare("DELETE FROM tl_session WHERE name='FE_USER_AUTH' AND pid=? AND sessionID!=?")
+							   ->execute($objMember->id, session_id());
+
 				// Redirect to the jumpTo page
 				if (($objTarget = $this->objModel->getRelated('reg_jumpTo')) !== null)
 				{