Debian Bug report logs - #514713
Information disclosure and XSS vulnerabilities in TYPO3

version graph

Package: typo3-src; Maintainer for typo3-src is Christian Welzel <gawain@camlann.de>;

Reported by: gawain@camlann.de

Date: Tue, 10 Feb 2009 10:27:01 UTC

Severity: critical

Tags: security

Found in versions 4.0.2+debian-7, 4.2.5-1

Fixed in versions typo3-src/4.2.6-1, typo3-src/4.2.5-1+lenny1

Done: Christian Welzel <gawain@camlann.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Christian Welzel <gawain@camlann.de>:
Bug#514713; Package typo3-src. (Tue, 10 Feb 2009 10:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to gawain@camlann.de:
New Bug report received and forwarded. Copy sent to Christian Welzel <gawain@camlann.de>. (Tue, 10 Feb 2009 10:27:03 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Christian Welzel <gawain@camlann.de>
To: submit@bugs.debian.org
Subject: Information disclosure and XSS vulnerabilities in TYPO3
Date: Tue, 10 Feb 2009 11:23:51 +0100
Package: typo3-src	
Version: 4.0.2+debian-7
Severity: critical
Tags: security

TYPO3 Security Bulletin TYPO3-SA-2009-002:
Information Disclosure & XSS in TYPO3 Core

Problem Description 1: An Information Disclosure vulnerability in jumpUrl 
mechanism, used to track access on web pages and provided files, allows a 
remote attacker to read arbitrary files on a host.

The expected value of a mandatory hash secret, intended to invalidate such 
requests, is exposed to remote users allowing them to bypass access control by 
providing the correct value.

There's no authentication required to exploit this vulnerability. The 
vulnerability allows to read any file, the web server user account has access 
to. 

Problem Description 2: Failing to sanitize user input, three fields in the 
backend is open to Cross-Site Scripting (XSS). 


-- 
 MfG, Christian Welzel

  GPG-Key:     http://www.camlann.de/key.asc
  Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15




Bug marked as found in version 4.2.5-1. Request was from Christian Welzel <gawain@camlann.de> to control@bugs.debian.org. (Tue, 10 Feb 2009 10:33:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Christian Welzel <gawain@camlann.de>:
Bug#514713; Package typo3-src. (Tue, 10 Feb 2009 11:18:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to gawain@camlann.de:
Extra info received and forwarded to list. Copy sent to Christian Welzel <gawain@camlann.de>. (Tue, 10 Feb 2009 11:18:02 GMT) Full text and rfc822 format available.

Message #12 received at 514713@bugs.debian.org (full text, mbox):

From: Christian Welzel <gawain@camlann.de>
To: 514713@bugs.debian.org
Subject: Re: Bug#514713: Information disclosure and XSS vulnerabilities in TYPO3
Date: Tue, 10 Feb 2009 12:12:36 +0100
Hi there,

> TYPO3 Security Bulletin TYPO3-SA-2009-002:
> Information Disclosure & XSS in TYPO3 Core

A fixed version of typo3-src version 4.0 for etch is currently waiting 
to be uploaded by my sponsor Holger Levsen on mentors.d.n

http://mentors.debian.net/debian/pool/main/t/typo3-src/typo3-src_4.0.2+debian-8.dsc

-- 
 MfG, Christian Welzel

  GPG-Key:     http://www.camlann.de/key.asc
  Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15




Reply sent to Christian Welzel <gawain@camlann.de>:
You have taken responsibility. (Tue, 10 Feb 2009 15:18:02 GMT) Full text and rfc822 format available.

Notification sent to gawain@camlann.de:
Bug acknowledged by developer. (Tue, 10 Feb 2009 15:18:03 GMT) Full text and rfc822 format available.

Message #17 received at 514713-close@bugs.debian.org (full text, mbox):

From: Christian Welzel <gawain@camlann.de>
To: 514713-close@bugs.debian.org
Subject: Bug#514713: fixed in typo3-src 4.2.6-1
Date: Tue, 10 Feb 2009 15:02:14 +0000
Source: typo3-src
Source-Version: 4.2.6-1

We believe that the bug you reported is fixed in the latest version of
typo3-src, which is due to be installed in the Debian FTP archive:

typo3-src-4.2_4.2.6-1_all.deb
  to pool/main/t/typo3-src/typo3-src-4.2_4.2.6-1_all.deb
typo3-src_4.2.6-1.diff.gz
  to pool/main/t/typo3-src/typo3-src_4.2.6-1.diff.gz
typo3-src_4.2.6-1.dsc
  to pool/main/t/typo3-src/typo3-src_4.2.6-1.dsc
typo3-src_4.2.6.orig.tar.gz
  to pool/main/t/typo3-src/typo3-src_4.2.6.orig.tar.gz
typo3_4.2.6-1_all.deb
  to pool/main/t/typo3-src/typo3_4.2.6-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 514713@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Welzel <gawain@camlann.de> (supplier of updated typo3-src package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 10 Feb 2009 12:00:00 +0100
Source: typo3-src
Binary: typo3 typo3-src-4.2
Architecture: source all
Version: 4.2.6-1
Distribution: unstable
Urgency: high
Maintainer: Christian Welzel <gawain@camlann.de>
Changed-By: Christian Welzel <gawain@camlann.de>
Description: 
 typo3      - Powerful content management framework (Meta package)
 typo3-src-4.2 - Powerful content management framework (Core)
Closes: 514713
Changes: 
 typo3-src (4.2.6-1) unstable; urgency=high
 .
   * New upstream release.
     - fixes TYPO3 Security Bulletin TYPO3-SA-2009-002: Information
       disclosure and XSS vulnerabilities in TYPO3 (Closes: 514713)
Checksums-Sha1: 
 3be404f69a8fbe834e194fb70505d401f2f41747 988 typo3-src_4.2.6-1.dsc
 6bf22e18ca9e9ae2bc084a0f07b2f857979a8a22 8147681 typo3-src_4.2.6.orig.tar.gz
 31731f3e05495cfce2cd769d1aeb277be4371ce8 108702 typo3-src_4.2.6-1.diff.gz
 9d2ce31202c2ba84c1b3bab8751a34ddc87eb765 134606 typo3_4.2.6-1_all.deb
 92e4de6a3af84e3de89c91c245f66052c96c5f59 8192452 typo3-src-4.2_4.2.6-1_all.deb
Checksums-Sha256: 
 b6689838f0b04adee26595d344acfa6bc62c75e0e5df93fee4deb15fec8f93f4 988 typo3-src_4.2.6-1.dsc
 b8a47954cf39522b20352ee97c74b173eed50520293f2214d7c72af6782689c8 8147681 typo3-src_4.2.6.orig.tar.gz
 0be565972ba05cf349179e7a7f08d492992ffd1410cc88fd3a0ed2b00ebdb5e0 108702 typo3-src_4.2.6-1.diff.gz
 fd59dbd7b073188d248d51873e60ea9a999d28821fc294db3e02fdfdf171b5c7 134606 typo3_4.2.6-1_all.deb
 0d118aea6cb45766f6c4f42669ae5c09b6a712317dfe59d00554a90b09105d9f 8192452 typo3-src-4.2_4.2.6-1_all.deb
Files: 
 a0577867d4eb87035c9eeb3a369fe4b1 988 web optional typo3-src_4.2.6-1.dsc
 eb6f557a2970105a6a659d0ef1a92cec 8147681 web optional typo3-src_4.2.6.orig.tar.gz
 89baa0a5c20fd4cba2e9a4a925f89b44 108702 web optional typo3-src_4.2.6-1.diff.gz
 976b69e7df55a9c7eaab731c367f4679 134606 web optional typo3_4.2.6-1_all.deb
 d15f691f1cf400e215211fb1933b4667 8192452 web optional typo3-src-4.2_4.2.6-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmRkmEACgkQHYflSXNkfP/itQCgng5astzvMJ4tB1LvwVYNzzE2
lz0AnjutK22ofmV+GZOtmI+deOmtdgKQ
=uCNT
-----END PGP SIGNATURE-----





Reply sent to Christian Welzel <gawain@camlann.de>:
You have taken responsibility. (Tue, 10 Feb 2009 15:48:06 GMT) Full text and rfc822 format available.

Notification sent to gawain@camlann.de:
Bug acknowledged by developer. (Tue, 10 Feb 2009 15:48:06 GMT) Full text and rfc822 format available.

Message #22 received at 514713-close@bugs.debian.org (full text, mbox):

From: Christian Welzel <gawain@camlann.de>
To: 514713-close@bugs.debian.org
Subject: Bug#514713: fixed in typo3-src 4.2.5-1+lenny1
Date: Tue, 10 Feb 2009 15:32:10 +0000
Source: typo3-src
Source-Version: 4.2.5-1+lenny1

We believe that the bug you reported is fixed in the latest version of
typo3-src, which is due to be installed in the Debian FTP archive:

typo3-src-4.2_4.2.5-1+lenny1_all.deb
  to pool/main/t/typo3-src/typo3-src-4.2_4.2.5-1+lenny1_all.deb
typo3-src_4.2.5-1+lenny1.diff.gz
  to pool/main/t/typo3-src/typo3-src_4.2.5-1+lenny1.diff.gz
typo3-src_4.2.5-1+lenny1.dsc
  to pool/main/t/typo3-src/typo3-src_4.2.5-1+lenny1.dsc
typo3_4.2.5-1+lenny1_all.deb
  to pool/main/t/typo3-src/typo3_4.2.5-1+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 514713@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Welzel <gawain@camlann.de> (supplier of updated typo3-src package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 10 Feb 2009 15:00:00 +0100
Source: typo3-src
Binary: typo3 typo3-src-4.2
Architecture: source all
Version: 4.2.5-1+lenny1
Distribution: testing-security
Urgency: high
Maintainer: Christian Welzel <gawain@camlann.de>
Changed-By: Christian Welzel <gawain@camlann.de>
Description: 
 typo3      - Powerful content management framework (Meta package)
 typo3-src-4.2 - Powerful content management framework (Core)
Closes: 514713
Changes: 
 typo3-src (4.2.5-1+lenny1) testing-security; urgency=high
 .
   * Added patches (backported from 4.2.6) to fix a critical information
     disclosure vulnerability in TYPO3 core and a XSS issue in TYPO3
     backend module (Closes: 514713).
Checksums-Sha1: 
 bddbe90a7d4f43f5d608c5efd343ba1a5d99b4ce 1016 typo3-src_4.2.5-1+lenny1.dsc
 93c3cf6c5db77b93fa2e090ae272d29566e49d1b 8144727 typo3-src_4.2.5.orig.tar.gz
 57519be969841d5cf4a40745e65e912b3564add4 109976 typo3-src_4.2.5-1+lenny1.diff.gz
 acc6daad479c102628f6b1f58047a29891acde23 133756 typo3_4.2.5-1+lenny1_all.deb
 d93739c7310aa131a4f32fda304ebc229710d669 8181114 typo3-src-4.2_4.2.5-1+lenny1_all.deb
Checksums-Sha256: 
 e9f9b9dae473d88123041e87daeed55ad938f160acec8d7c08ead26f3cb079ad 1016 typo3-src_4.2.5-1+lenny1.dsc
 8de681685ac020b471e9da91440ad97b0bbaba1caa2188719644711def8a3ed3 8144727 typo3-src_4.2.5.orig.tar.gz
 cd30f3e9dea8b00a29cd1b1956cb8a53ed4b65b02b148b74e01a070721cccb14 109976 typo3-src_4.2.5-1+lenny1.diff.gz
 eddbdbee8d3f5781c0ae40aeb70e1696211fd12c2f7d6a3c7abd221606226e22 133756 typo3_4.2.5-1+lenny1_all.deb
 e4bcede90f62162188e955eb125e911ff6959149cd8047ad403a54ab7043400b 8181114 typo3-src-4.2_4.2.5-1+lenny1_all.deb
Files: 
 ed22ba3b5744983a81264e4fb418ea80 1016 web optional typo3-src_4.2.5-1+lenny1.dsc
 75b2e5db6ac586fb6176f329be452159 8144727 web optional typo3-src_4.2.5.orig.tar.gz
 e4eec7cdd26c6ddcf8c6c4dfc9ff9839 109976 web optional typo3-src_4.2.5-1+lenny1.diff.gz
 d8139c971339516196e056b53c038b60 133756 web optional typo3_4.2.5-1+lenny1_all.deb
 cf42b5a2332d3dadfd9f2313215c0796 8181114 web optional typo3-src-4.2_4.2.5-1+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmRmrMACgkQHYflSXNkfP+u5wCeNLcCzSldWmgEZqyMHuVva7y5
u9gAoJkTORxwBat/RjxaEIWcS66eX4S0
=qSzq
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 11 Mar 2009 07:29:20 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 10:38:24 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.