Debian Bug report logs - #590719
TYPO3 Security Bulletin TYPO3-SA-2010-012: Multiple vulnerabilities in TYPO3 Core

version graph

Package: typo3-src; Maintainer for typo3-src is Christian Welzel <gawain@camlann.de>;

Reported by: Christian Welzel <gawain@camlann.de>

Date: Wed, 28 Jul 2010 19:27:02 UTC

Severity: critical

Tags: security

Found in versions 4.2.5-1+lenny3, 4.3.3-2

Fixed in versions 4.3.5-1, typo3-src/4.2.5-1+lenny4

Done: Christian Welzel <gawain@camlann.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org:
Bug#590719; Package typo3-src. (Wed, 28 Jul 2010 19:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christian Welzel <gawain@camlann.de>:
New Bug report received and forwarded. (Wed, 28 Jul 2010 19:27:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Christian Welzel <gawain@camlann.de>
To: submit@bugs.debian.org
Subject: TYPO3 Security Bulletin TYPO3-SA-2010-012: Multiple vulnerabilities in TYPO3 Core
Date: Wed, 28 Jul 2010 20:46:50 +0200
Package: typo3-src
Version: 4.2.5-1+lenny3
Severity: critical
Tags: security


Vulnerability Types: Cross-Site Scripting (XSS), Open Redirection, SQL
Injection, Broken Authentication and Session Management, Insecure
Randomness, Information Disclosure, Arbitrary Code Execution


Vulnerable subcomponent #1: Backend

Vulnerability Type: Cross-Site Scripting
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C Problem
Description: Failing to sanitize user input the TYPO3 backend is
susceptible to XSS attacks in several places. A valid backend login is
required to exploit these vulnerabilities.



Vulnerability Type: Open Redirection
Severity: High
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C Problem
Description: Failing to sanitize user input the TYPO3 backend is
susceptible to open redirection in several places.



Vulnerability Type: SQL Injection
Severity: High
Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C Problem
Description: Failing to properly escape user input for a database query,
some backend record editing forms are susceptible to SQL injections.
This is only exploitable by an editor who have the right to edit records
which have a special "where" query definition in TCA or records which
use the auto suggest feature available in TYPO3 versions 4.3 or higher.



Vulnerability Type: Arbitrary Code Execution
Severity: None/High (Depending on the webserver configuration)
Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:C/I:C/A:N/E:POC/RL:OF/RC:C Problem
Description: Because of a not sufficiently secure default value of the
TYPO3 configuration variable fileDenyPattern allows backend users to
upload files with .phtml file extension which may be executed as PHP
with certain webserver setups. The new default value for the
fileDenyPattern now is: \.(php[3-6]?|phpsh|phtml)(\..*)?$|^\.htaccess$



Vulnerability Type: Information Disclosure
Severity: Low
Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C
Problem Description: If an extension with a defective backend module is
installed, TYPO3 will issue a error message which reveals the complete
path to the web root.



Vulnerability Type: Information Disclosure/ Cross-Site Scripting
Severity: Low
Suggested CVSS v2.0: AV:N/AC:H/Au:M/C:C/I:C/A:C/E:U/RL:OF/RC:C
Problem Description: Failing to properly validate and escape user input,
the Extension Manager is susceptible to XSS. Additionally by forging a
special request parameter it is possible to view (and edit under special
conditions) the contents of every file the webserver has access to. A
valid admin user login is requred to exploit this vulnerability.




Vulnerable subcomponent #2: User authentication


Vulnerability Type: Insecure Randomness
Severity: Very Low
Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C
Problem Description: As a precaution to PHP's weak randomness in the
uniqid() function, the random byte generation function
t3lib_div::generateRandomBytes() has been vastly improved, especially
for Windows systems. In addition TYPO3 now uses this function to
generate a session id for frontend and backend authentication instead of
PHP's uniqid().
Note: Nevertheless the probability of guessing the session id was very
low even before this improvement.




Vulnerable subcomponent #3: Frontend


Vulnerability Type: Spam Abuse
Severity: High
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:N/A:N/E:POC/RL:OF/RC:C
Problem Description: Failing to check the for valid parameters, the
native form content element is susceptible to spam abuse. An attacker
could abuse the form to send mails to arbitrary email addresses.



Vulnerability Type: Header Injection
Severity: Low/High (depending on the PHP version used)
Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C
Problem Description: Failing to sanitize user input, secure download
feature (jumpurl) of TYPO3 is susceptible to header injection /
manipulation.
Note: Since PHP versions 4.4.2 or higher and 5.1.2 or higher it is no
longer possible to send more than one header at once. This mitigates the
impact of this vulnerability, making it only possible to spoof the mime
type of the download.




Vulnerable subcomponent #4: Frontend Login


Vulnerability Type: Open Redirection, Cross-Site Scripting
Severity: High
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C
Problem Description: Failing to sanitize user input the frontend login
box is susceptible to Open Redirection and Cross-Site scripting.



Vulnerability Type: Insecure Randomness
Severity: High
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C
Problem Description: The "forgot password" function generates a hash
which is verified to authenticate the password change request. Because
of very low randomness while generating the hash, especially on Windows
systems, brute forcing the hash value is possible in a short timeframe.



Vulnerable subcomponent #5: Install Tool


Vulnerability Type: Broken Authentication and Session Management
Severity: Low
Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:C/I:C/A:N/E:POC/RL:OF/RC:C
Problem Description: TYPO3 authenticates install tool users without
invalidating a supplied session identifier. Therefore, TYPO3 is open for
session fixation attacks, making an attacker able to hijack a victim's
session.



Vulnerable subcomponent #6: FLUID Templating Engine


Vulnerability Type: Cross-Site Scripting
Severity: Low
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C
Problem Description: Failing to escape the output, using the textarea
view helper in an extbase extension leads to a XSS vulnerability if the
extension author does not take care of escaping the output.



Vulnerable subcomponent #7: Mailing API


Vulnerability Type: Information Disclosure
Severity: Very Low
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C
Problem Description: The TYPO3 HTML mailing API class t3lib_htmlmail
includes the exact version number of the TYPO3 installation in the mail
header.



-- 
 MfG, Christian Welzel

  GPG-Key:     http://www.camlann.de/de/pgpkey.html
  Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15




Bug Marked as found in versions 4.3.3-2. Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Sun, 29 Aug 2010 10:39:03 GMT) Full text and rfc822 format available.

Bug Marked as fixed in versions 4.3.5-1. Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Sun, 29 Aug 2010 10:39:04 GMT) Full text and rfc822 format available.

Reply sent to Christian Welzel <gawain@camlann.de>:
You have taken responsibility. (Sun, 29 Aug 2010 13:57:10 GMT) Full text and rfc822 format available.

Notification sent to Christian Welzel <gawain@camlann.de>:
Bug acknowledged by developer. (Sun, 29 Aug 2010 13:57:10 GMT) Full text and rfc822 format available.

Message #14 received at 590719-close@bugs.debian.org (full text, mbox):

From: Christian Welzel <gawain@camlann.de>
To: 590719-close@bugs.debian.org
Subject: Bug#590719: fixed in typo3-src 4.2.5-1+lenny4
Date: Sun, 29 Aug 2010 13:52:39 +0000
Source: typo3-src
Source-Version: 4.2.5-1+lenny4

We believe that the bug you reported is fixed in the latest version of
typo3-src, which is due to be installed in the Debian FTP archive:

typo3-src-4.2_4.2.5-1+lenny4_all.deb
  to main/t/typo3-src/typo3-src-4.2_4.2.5-1+lenny4_all.deb
typo3-src_4.2.5-1+lenny4.diff.gz
  to main/t/typo3-src/typo3-src_4.2.5-1+lenny4.diff.gz
typo3-src_4.2.5-1+lenny4.dsc
  to main/t/typo3-src/typo3-src_4.2.5-1+lenny4.dsc
typo3_4.2.5-1+lenny4_all.deb
  to main/t/typo3-src/typo3_4.2.5-1+lenny4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 590719@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Welzel <gawain@camlann.de> (supplier of updated typo3-src package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 06 Aug 2010 23:30:00 +0200
Source: typo3-src
Binary: typo3 typo3-src-4.2
Architecture: source all
Version: 4.2.5-1+lenny4
Distribution: stable-security
Urgency: high
Maintainer: Christian Welzel <gawain@camlann.de>
Changed-By: Christian Welzel <gawain@camlann.de>
Description: 
 typo3      - Powerful content management framework (Meta package)
 typo3-src-4.2 - Powerful content management framework (Core)
Closes: 590719
Changes: 
 typo3-src (4.2.5-1+lenny4) stable-security; urgency=high
 .
   * Added patches (backported from 4.2.13 and 4.2.14) to fix the security issues
     from "TYPO3-SA-2010-012: Multiple vulnerabilities in TYPO3 Core"
     (Closes: 590719).
Checksums-Sha1: 
 a3032612c530669e6a9ece4702628e266d44f06d 1008 typo3-src_4.2.5-1+lenny4.dsc
 f3dd7c5cba0933abe098d9929a2e0c1ac27af500 146540 typo3-src_4.2.5-1+lenny4.diff.gz
 ae57fc3ddb5df70656d4aad852aa82cc425e6891 133958 typo3_4.2.5-1+lenny4_all.deb
 7eba0e4cd3d86291440cd47c7f6de040b3566388 8192390 typo3-src-4.2_4.2.5-1+lenny4_all.deb
Checksums-Sha256: 
 2c3889a09aea55723311ecf55e02db017b7e99ca45f6e80dc0823c4cdf5757f4 1008 typo3-src_4.2.5-1+lenny4.dsc
 f22cc758d7d0e727bbbde1580150a7d12d1b55ebd31a4890fd272e26d8969373 146540 typo3-src_4.2.5-1+lenny4.diff.gz
 a61c356a3c1fc7e0dbab7bbf6181467071aa31b69ffe92918345ed96df54bfe8 133958 typo3_4.2.5-1+lenny4_all.deb
 d1e01069f3562bbcff960dde00606b0de7ecfb02d03195f6322c657c6ba280ea 8192390 typo3-src-4.2_4.2.5-1+lenny4_all.deb
Files: 
 018342ba199d8f866382b6791a617831 1008 web optional typo3-src_4.2.5-1+lenny4.dsc
 9a2b90a47fd6373863cf43cecbbb53ee 146540 web optional typo3-src_4.2.5-1+lenny4.diff.gz
 4ec08c57f0dc4abb1681e98f403d81de 133958 web optional typo3_4.2.5-1+lenny4_all.deb
 88cd8939bd4d1c5aad5aa0aa986f8855 8192390 web optional typo3-src-4.2_4.2.5-1+lenny4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFMd98tUHLQNqxYNSARAuqXAJ9pfey+FDskqXBdalBAOUbRMC6xvQCgqlyj
axZHxcI0Glt3SuIKKyamZAU=
=RaZe
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 03 Oct 2010 07:33:31 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 17:03:06 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.