Debian Bug report logs - #669158
TYPO3-CORE-SA-2012-002: Cross-Site Scripting Vulnerability in TYPO3 Core

version graph

Package: typo3-src; Maintainer for typo3-src is Christian Welzel <gawain@camlann.de>;

Reported by: Christian Welzel <gawain@camlann.de>

Date: Tue, 17 Apr 2012 20:27:01 UTC

Severity: critical

Tags: security

Fixed in versions typo3-src/4.3.9+dfsg1-1+squeeze4, typo3-src/4.5.15+dfsg1-1

Done: Christian Welzel <gawain@camlann.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org:
Bug#669158; Package typo3-src. (Tue, 17 Apr 2012 20:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christian Welzel <gawain@camlann.de>:
New Bug report received and forwarded. (Tue, 17 Apr 2012 20:27:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Christian Welzel <gawain@camlann.de>
To: submit@bugs.debian.org
Subject: TYPO3-CORE-SA-2012-002: Cross-Site Scripting Vulnerability in TYPO3 Core
Date: Tue, 17 Apr 2012 22:23:30 +0200
Package: typo3-src
Severity: critical
Tags: security


Component Type: TYPO3 Core

Affected Versions: 4.4.0 up to 4.4.14, 4.5.0 up to 4.5.14, 4.6.0 up to
4.6.7 and development releases of the 4.7 branch.
Vulnerable subcomponent: Exception Handler



Vulnerability Type: Cross-Site Scripting
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C

Problem Description: Failing to properly encode the output, the default
TYPO3 Exception Handler is susceptible to Cross-Site Scripting.
We are not aware of a possibilty to exploit this vulnerability without
third party extensions being installed that put user input in exception
messages.
However it has come to our attention that extensions using the extbase
MVC framework can be used to exploit this vulnerability if these
extensions accept objects in controller actions.
In general and especially when in doubt if the above conditions are met,
we highly recommend users of affected versions to update as soon as
possible.

Imortant Note: In case you have configured your own exception handler
for TYPO3 you need to make sure that the exception messages are properly
encoded within this exception handler before they are presented.


-- 
 MfG, Christian Welzel

  GPG-Key:     http://www.camlann.de/de/pgpkey.html
  Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15




Reply sent to Christian Welzel <gawain@camlann.de>:
You have taken responsibility. (Fri, 20 Apr 2012 19:42:12 GMT) Full text and rfc822 format available.

Notification sent to Christian Welzel <gawain@camlann.de>:
Bug acknowledged by developer. (Fri, 20 Apr 2012 19:42:12 GMT) Full text and rfc822 format available.

Message #10 received at 669158-close@bugs.debian.org (full text, mbox):

From: Christian Welzel <gawain@camlann.de>
To: 669158-close@bugs.debian.org
Subject: Bug#669158: fixed in typo3-src 4.3.9+dfsg1-1+squeeze4
Date: Fri, 20 Apr 2012 19:38:30 +0000
Source: typo3-src
Source-Version: 4.3.9+dfsg1-1+squeeze4

We believe that the bug you reported is fixed in the latest version of
typo3-src, which is due to be installed in the Debian FTP archive:

typo3-database_4.3.9+dfsg1-1+squeeze4_all.deb
  to main/t/typo3-src/typo3-database_4.3.9+dfsg1-1+squeeze4_all.deb
typo3-src-4.3_4.3.9+dfsg1-1+squeeze4_all.deb
  to main/t/typo3-src/typo3-src-4.3_4.3.9+dfsg1-1+squeeze4_all.deb
typo3-src_4.3.9+dfsg1-1+squeeze4.debian.tar.gz
  to main/t/typo3-src/typo3-src_4.3.9+dfsg1-1+squeeze4.debian.tar.gz
typo3-src_4.3.9+dfsg1-1+squeeze4.dsc
  to main/t/typo3-src/typo3-src_4.3.9+dfsg1-1+squeeze4.dsc
typo3_4.3.9+dfsg1-1+squeeze4_all.deb
  to main/t/typo3-src/typo3_4.3.9+dfsg1-1+squeeze4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 669158@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Welzel <gawain@camlann.de> (supplier of updated typo3-src package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 17 Apr 2012 22:30:00 +0200
Source: typo3-src
Binary: typo3-src-4.3 typo3-database typo3
Architecture: source all
Version: 4.3.9+dfsg1-1+squeeze4
Distribution: squeeze-security
Urgency: medium
Maintainer: Christian Welzel <gawain@camlann.de>
Changed-By: Christian Welzel <gawain@camlann.de>
Description: 
 typo3      - The enterprise level open source WebCMS (Meta)
 typo3-database - TYPO3 - The enterprise level open source WebCMS (Database)
 typo3-src-4.3 - TYPO3 - The enterprise level open source WebCMS (Core)
Closes: 669158
Changes: 
 typo3-src (4.3.9+dfsg1-1+squeeze4) squeeze-security; urgency=medium
 .
   * Security patch backported from new upstream release 4.4.15:
     - fixes: "TYPO3 Security Bulletin TYPO3-CORE-SA-2012-002: Cross-Site
       Scripting Vulnerability in TYPO3 Core" (Closes: 669158)
Checksums-Sha1: 
 60104f9e0dfca9fc5ba3a3f4b54f7eee04c3aeb3 1740 typo3-src_4.3.9+dfsg1-1+squeeze4.dsc
 ce76b672287f437f32fefd224f220627eced096f 132939 typo3-src_4.3.9+dfsg1-1+squeeze4.debian.tar.gz
 724c8bac4f5dc40d4c98ff2bc30b52163755f472 11290626 typo3-src-4.3_4.3.9+dfsg1-1+squeeze4_all.deb
 767dd06ddc9c90fbc08fcf24b86477171cf22529 201644 typo3-database_4.3.9+dfsg1-1+squeeze4_all.deb
 853aef329cf221cc5ea8cbc0f16c62b5f1aeae01 1260 typo3_4.3.9+dfsg1-1+squeeze4_all.deb
Checksums-Sha256: 
 88af61d9afc1c46aed8797e7299598eb95037af097e326811235b99110576074 1740 typo3-src_4.3.9+dfsg1-1+squeeze4.dsc
 f7da21d19b2c1aaa290b6615e7342ce44518862e976e11d99c61796b525ab6e0 132939 typo3-src_4.3.9+dfsg1-1+squeeze4.debian.tar.gz
 e621d5f419f9198a788cdf029147d5afc4cb54731952903f760da025c6474e5f 11290626 typo3-src-4.3_4.3.9+dfsg1-1+squeeze4_all.deb
 45de729341900763045a0833f0d9e13c400e817409761ebbd36cfd288fdf3866 201644 typo3-database_4.3.9+dfsg1-1+squeeze4_all.deb
 9998229839b81735184ea0f7fffe5abd931f35876842a3c781cc19a49b3e0e30 1260 typo3_4.3.9+dfsg1-1+squeeze4_all.deb
Files: 
 e892b17536e2c063304e45349f4d8495 1740 web optional typo3-src_4.3.9+dfsg1-1+squeeze4.dsc
 1c8430e607ea189145a98988e199c283 132939 web optional typo3-src_4.3.9+dfsg1-1+squeeze4.debian.tar.gz
 69562c8a756b7d0315045dfd5706f039 11290626 web optional typo3-src-4.3_4.3.9+dfsg1-1+squeeze4_all.deb
 2ffd7a0191ab046b2ced510cf0f325a0 201644 web optional typo3-database_4.3.9+dfsg1-1+squeeze4_all.deb
 4d0101cbd609d90a30e65284baba184c 1260 web optional typo3_4.3.9+dfsg1-1+squeeze4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIVAwUBT4/IwAkauFYGmqocAQhVLg//ccIdcvJ6Q51pz2uHtX3d8W2xieqBhSD7
/H7xWF9iOgAW21A+ifA7wiI4Aak85Ogpqut0hY/aC4mge5WWUZiFkLf2znNaL1YT
OJSU3lSxUab12vjXjzATpWG42P2eGR0j56ITdZc/e4YETHsDjZoteqKJPvg8BIr+
sAygd4RBX5QPJbKUHQQQxRydY/QZybYoc/v6zCUsrCNOYWecwKgathgsaoRjgsXM
8aXDHzeumezum4xjKkKqzCvk6jbdyGdcVKSchFAmUJiT6RUvj5evglT3JBTd54q6
jQMxPz+b3+CK88Bqt+bkBMKPB//H+/nWpnTkKhVMlXcTqfYIT56GsHYQzlf5cNcT
rX49GMvFdt/xWjp7LEvvwtrEvHo7atMmoS32cYRbN5lgF7yiKW6Aw+CZAo67pnLu
7J44wh33hxZ30IuFykT/eG+C2nMG50oYisMyssapRfx9bA0sbh7liw6xRuDVT12+
ldumQur/+DCWJ5MarLuGGIVa018fUqJiNhQnTwK2RP+NDFC4t05FPiwqVoZxLaVU
aoYJWTFAu/LVN84wt9ACMb3aOFnz6skucU24DXTgmVYkFX9/CObpMC5v4RpnVhlm
yWjT+2Cfj+tgcs5602VZI4bcR8KLaGHBSG/URKmoffrxXW0WzPxlCSSFgQJH17vw
xRxG3VTIi04=
=d6Ka
-----END PGP SIGNATURE-----





Reply sent to Christian Welzel <gawain@camlann.de>:
You have taken responsibility. (Sun, 22 Apr 2012 09:24:13 GMT) Full text and rfc822 format available.

Notification sent to Christian Welzel <gawain@camlann.de>:
Bug acknowledged by developer. (Sun, 22 Apr 2012 09:24:18 GMT) Full text and rfc822 format available.

Message #15 received at 669158-close@bugs.debian.org (full text, mbox):

From: Christian Welzel <gawain@camlann.de>
To: 669158-close@bugs.debian.org
Subject: Bug#669158: fixed in typo3-src 4.5.15+dfsg1-1
Date: Sun, 22 Apr 2012 09:20:10 +0000
Source: typo3-src
Source-Version: 4.5.15+dfsg1-1

We believe that the bug you reported is fixed in the latest version of
typo3-src, which is due to be installed in the Debian FTP archive:

typo3-database_4.5.15+dfsg1-1_all.deb
  to main/t/typo3-src/typo3-database_4.5.15+dfsg1-1_all.deb
typo3-dummy_4.5.15+dfsg1-1_all.deb
  to main/t/typo3-src/typo3-dummy_4.5.15+dfsg1-1_all.deb
typo3-src-4.5_4.5.15+dfsg1-1_all.deb
  to main/t/typo3-src/typo3-src-4.5_4.5.15+dfsg1-1_all.deb
typo3-src_4.5.15+dfsg1-1.debian.tar.gz
  to main/t/typo3-src/typo3-src_4.5.15+dfsg1-1.debian.tar.gz
typo3-src_4.5.15+dfsg1-1.dsc
  to main/t/typo3-src/typo3-src_4.5.15+dfsg1-1.dsc
typo3-src_4.5.15+dfsg1.orig.tar.gz
  to main/t/typo3-src/typo3-src_4.5.15+dfsg1.orig.tar.gz
typo3_4.5.15+dfsg1-1_all.deb
  to main/t/typo3-src/typo3_4.5.15+dfsg1-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 669158@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Welzel <gawain@camlann.de> (supplier of updated typo3-src package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 21 Apr 2012 12:32:23 +0200
Source: typo3-src
Binary: typo3-src-4.5 typo3-database typo3-dummy typo3
Architecture: source all
Version: 4.5.15+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Christian Welzel <gawain@camlann.de>
Changed-By: Christian Welzel <gawain@camlann.de>
Description: 
 typo3      - web content management system (meta)
 typo3-database - web content management system (database)
 typo3-dummy - web content management system (basic site structure)
 typo3-src-4.5 - web content management system (core)
Closes: 669158
Changes: 
 typo3-src (4.5.15+dfsg1-1) unstable; urgency=medium
 .
   * New upstream release:
     - fixes: "TYPO3 Security Bulletin TYPO3-CORE-SA-2012-002: Cross-Site
       Scripting Vulnerability in TYPO3 Core" (Closes: 669158)
   * Database update for field uc in be_users.
   * Added bugfix patch for TYPO3 bug #36238.
   * Added patch for errors with PHP 5.4
   * Move Homepage field to source package.
   * Added Vcs-Git, changed Vcs-Browser to point to github
   * changed Homepage field to typo3.org
   * Cleanup of watch file.
   * Added comments to lintian overrides.
   * Raised compat level to 7.
   * Deleted typo3-src-4.5.examples because its empty.
   * Removed numbering from patches, changed order to alphabetical.
   * Changed index.html files to print warning about directory listing only,
     not redirect anymore.
   * Disable directory listing globally in apache config.
Checksums-Sha1: 
 945623bb2009df1679af08ca96dd8e9cfa738e43 2007 typo3-src_4.5.15+dfsg1-1.dsc
 b8b4975316ae43097050842b74c19d003216b8c3 20435234 typo3-src_4.5.15+dfsg1.orig.tar.gz
 f6117311e3caf9d7ec5963dca8632c5bed051106 184347 typo3-src_4.5.15+dfsg1-1.debian.tar.gz
 4d77468369bd6cab0761b556f14d1b42408961c1 20253126 typo3-src-4.5_4.5.15+dfsg1-1_all.deb
 1d28455a6eb48df0554a1e237439089a34b6306b 277884 typo3-database_4.5.15+dfsg1-1_all.deb
 d1ae8d0756a279980c31f09f02631e06079d7396 286880 typo3-dummy_4.5.15+dfsg1-1_all.deb
 93a82cbe8c52e6882a9abc249388ef6439104dec 1242 typo3_4.5.15+dfsg1-1_all.deb
Checksums-Sha256: 
 b4b214fdadf45929dea9ca2b965077e06b3bb0588b76bb9a6a37ba20b7d29f5b 2007 typo3-src_4.5.15+dfsg1-1.dsc
 05c1c11e642b6e3657f0105062010eb4d89864ddf191ddb9c1514b897f40f626 20435234 typo3-src_4.5.15+dfsg1.orig.tar.gz
 339426055241112a627c454c595bbacd04857d1ddf8c4ab97b7a4fd8096cfb26 184347 typo3-src_4.5.15+dfsg1-1.debian.tar.gz
 c07366cc072f09a09f535e90e775b083aab1a1edc40522e73f9164457cd8d7cb 20253126 typo3-src-4.5_4.5.15+dfsg1-1_all.deb
 8f9098ca90941f4a922568659783d5ed8db463c3b51fb3abda58652dd3540a47 277884 typo3-database_4.5.15+dfsg1-1_all.deb
 ad2018e276e002f3beea8b96847fbe2a1507310c517c7305e5a321bf7b117fc5 286880 typo3-dummy_4.5.15+dfsg1-1_all.deb
 f8822f6c835501d9dc53b7481049c58a4fb1312ffd4dca5985fe03036f5eadbd 1242 typo3_4.5.15+dfsg1-1_all.deb
Files: 
 b423e2545e38cd5e1d4d55c20034c5f5 2007 web optional typo3-src_4.5.15+dfsg1-1.dsc
 d34706983bd3c49de83546b754939287 20435234 web optional typo3-src_4.5.15+dfsg1.orig.tar.gz
 6bbe3494f32063f2f7fe8d3614ac74c5 184347 web optional typo3-src_4.5.15+dfsg1-1.debian.tar.gz
 3d8401b240b7b2dd8304647c42b00610 20253126 web optional typo3-src-4.5_4.5.15+dfsg1-1_all.deb
 7029781614821ad5b3d448d3025b3766 277884 web optional typo3-database_4.5.15+dfsg1-1_all.deb
 bad3c54b7bc4311a91ec8941d8e31a8e 286880 web optional typo3-dummy_4.5.15+dfsg1-1_all.deb
 495efa9a24b35a2e32fe1a2fc4e51600 1242 web optional typo3_4.5.15+dfsg1-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIVAwUBT5PJsgkauFYGmqocAQhy2BAAmq3IwMyx+LwGPRbGjWnuOZkk0uErI76X
B1z5xVdM9bBXGC0j8clwv4tWqP2iuRdjsNNgq4d26J/C1alB9ICE/bzofpB0mtL8
ZCmsrBPC3ISslQFxjnHgAjL4CySPuNUMp0NiPcCt9WIjDSblwTe3Svss0CrfKp//
5ckvOEhSYQCsHxm2iJqX0EKI05fPwf1uOsTbYt+zUbhIgUkovwxKMohY8Q3rpr0Z
gdYpbOQhH6zHVjDge5s7tBxoeb/Jog6o8jZxx6i1Cjh9nby7A9tWzzQvQNUN9Zd3
jVHfbuOzgUUXudfoVLGJv+PH1qEssh3dKt0J+LwawYrQuzW1Scn6wnkj7FEnCx6I
yi77CFOYve7zLSrnN7BvhI+BmUCDbAgwuGIrucBH3ikEpouGvMPIxbelzED4enfu
p2t4wpBF50p1tmokd0mYvlukCV1b3trbxBn06eXJ/qZ+aYYVyfzRZSkJULQSzvZ9
sCCzEQa01AapT3wjI8on5EGXdNwXiabGE5wL+o8Zs16m2RIjpnc34M7hIp+25zN7
7ksJCDmI0wJPs70AAZttj9eBLo3fprxl0PMK6V8mWo5kym7uEUef3fgGSpStkWTk
czH7o9i4F6YyW0HuGmyQUd7mq++D47xom+sjuBL+waRn8+o2W+boBQLWFpVuD+t0
iZAwh1XmUCY=
=l8kp
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 11 Jun 2012 07:49:07 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 01:03:32 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.