Debian Bug report logs - #702574
TYPO3-CORE-SA-2013-001: SQL Injection and Open Redirection in TYPO3 Core (CVE-2013-1842, CVE-2013-1843)

version graph

Package: typo3-src; Maintainer for typo3-src is Christian Welzel <gawain@camlann.de>;

Reported by: Christian Welzel <gawain@camlann.de>

Date: Fri, 8 Mar 2013 15:03:01 UTC

Severity: critical

Tags: security, upstream

Merged with 702669

Found in versions 4.5.19+dfsg1-4.1, 4.5.14+dfsg1-1~bpo60+1, 4.3.8-1, 4.3.9+dfsg1-1+squeeze7

Fixed in versions 4.3.9+dfsg1-1+squeeze8, 4.5.19+dfsg1-5

Done: Christian Welzel <gawain@camlann.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org:
Bug#702574; Package typo3-src. (Fri, 08 Mar 2013 15:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christian Welzel <gawain@camlann.de>:
New Bug report received and forwarded. (Fri, 08 Mar 2013 15:03:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Christian Welzel <gawain@camlann.de>
To: submit@bugs.debian.org
Subject: TYPO3-CORE-SA-2013-001: SQL Injection and Open Redirection in TYPO3 Core
Date: Fri, 08 Mar 2013 15:58:38 +0100
Package: typo3-src
Severity: critical
Tags: security

It has been discovered that TYPO3 Core is susceptible to SQL Injection
and Open Redirection


Component Type: TYPO3 Core

Affected Versions: 4.5.0 up to 4.5.23, 4.6.0 up to 4.6.16, 4.7.0 up to
4.7.8 and 6.0.0 up to 6.0.2
Vulnerability Types: SQL Injection, Open Redirection
Overall Severity: High
Release Date: March 6, 2013




Vulnerable subcomponent: Extbase Framework


Vulnerability Type: SQL Injection
Severity: Critical
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:C/I:C/A:N/E:H/RL:O/RC:C

Problem Description: Failing to sanitize user input, the Extbase
database abstraction layer is susceptible to SQL Injection. TYPO3 sites
which have no Extbase extensions installed are not affected. Extbase
extensions are affected if they use the Query Object Model and relation
values are user generated input. (e.g. :
$query->contains('model.categories', $userProvidedValue) )

Note: It has been reported to the TYPO3 Security Team that this problem
is known and exploited in the wild.



Vulnerable subcomponent: Access tracking mechanism


Vulnerability Type: Open Redirection
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:H/RL:O/RC:C

Problem Description: Failing to validate user provided input, the access
tracking mechanism allows redirects to arbitrary URLs.

Important Notes: To fix this vulnerability, we had to break existing
behaviour of TYPO3 sites that use the access tracking mechanism (jumpurl
feature) to transform links to external sites. The link generation has
been changed to include a hash that is checked before redirecting to an
external URL. This means that old links that have been distributed (e.g.
by a newsletter) will not work any more. If you are using the jumpurl
feature you need to do the following:
lookup more information on
http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-001/

-- 
 MfG, Christian Welzel

  GPG-Key:     http://www.camlann.de/de/pgpkey.html
  Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15



Reply sent to Christian Welzel <gawain@camlann.de>:
You have taken responsibility. (Fri, 08 Mar 2013 17:36:03 GMT) Full text and rfc822 format available.

Notification sent to Christian Welzel <gawain@camlann.de>:
Bug acknowledged by developer. (Fri, 08 Mar 2013 17:36:03 GMT) Full text and rfc822 format available.

Message #10 received at 702574-close@bugs.debian.org (full text, mbox):

From: Christian Welzel <gawain@camlann.de>
To: 702574-close@bugs.debian.org
Subject: Bug#702574: fixed in typo3-src 4.5.19+dfsg1-5
Date: Fri, 08 Mar 2013 17:32:45 +0000
Source: typo3-src
Source-Version: 4.5.19+dfsg1-5

We believe that the bug you reported is fixed in the latest version of
typo3-src, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 702574@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Welzel <gawain@camlann.de> (supplier of updated typo3-src package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 08 Mar 2013 17:02:05 +0100
Source: typo3-src
Binary: typo3-src-4.5 typo3-database typo3-dummy typo3
Architecture: source all
Version: 4.5.19+dfsg1-5
Distribution: unstable
Urgency: low
Maintainer: Christian Welzel <gawain@camlann.de>
Changed-By: Christian Welzel <gawain@camlann.de>
Description: 
 typo3      - web content management system (meta)
 typo3-database - web content management system (database)
 typo3-dummy - web content management system (basic site structure)
 typo3-src-4.5 - web content management system (core)
Closes: 702574
Changes: 
 typo3-src (4.5.19+dfsg1-5) unstable; urgency=low
 .
   * Added patch for TYPO3-SA-2013-001. (Closes: #702574)
   * Set patch level version to -pl.4.5.25.
Checksums-Sha1: 
 560985208fca743574aeb29cf7902d1ca624a4d5 2056 typo3-src_4.5.19+dfsg1-5.dsc
 b93098c7446b593b1977ad58e9bd07871661c8b2 391828 typo3-src_4.5.19+dfsg1-5.debian.tar.gz
 1c16dd9e0768fa3238068571c8a3cd19647f8275 20071780 typo3-src-4.5_4.5.19+dfsg1-5_all.deb
 577751e57c56ec3899a06a057a987f9832012226 281972 typo3-database_4.5.19+dfsg1-5_all.deb
 62a00ff5b7595d9b1d1c52143f79a4adab48e0cb 289994 typo3-dummy_4.5.19+dfsg1-5_all.deb
 e8c5c62b96275761bb9669335f003932fa18adef 1384 typo3_4.5.19+dfsg1-5_all.deb
Checksums-Sha256: 
 4bcef729e53e8fc954be9f3966dab5f2008aced38f3605aaa52450e3027825b4 2056 typo3-src_4.5.19+dfsg1-5.dsc
 5329fa20761ef59ea3d4a7f91fbdb45931a80c4e8717e29efbdcf1528c586ebe 391828 typo3-src_4.5.19+dfsg1-5.debian.tar.gz
 aa7c03923e324e3a842d6e98d47d5251055c17b0ea67577d291606acf5e2f3e6 20071780 typo3-src-4.5_4.5.19+dfsg1-5_all.deb
 b2c57cf30dd9c7372ade7a1725e5ca37b656230ecfa4d54f44e4702e00414814 281972 typo3-database_4.5.19+dfsg1-5_all.deb
 0651135fced9e618400504c539bc55a97aa9309194181b9ab6c660f6c709f8f0 289994 typo3-dummy_4.5.19+dfsg1-5_all.deb
 d011896d82aa250fae32290b5af627a26b256e10bd3399785eb9d133ba2d7546 1384 typo3_4.5.19+dfsg1-5_all.deb
Files: 
 a773914047196f028956aaa0aa68bf1a 2056 web optional typo3-src_4.5.19+dfsg1-5.dsc
 05f10ecfd56a140df298e1080cd4f894 391828 web optional typo3-src_4.5.19+dfsg1-5.debian.tar.gz
 2e6634a75f0da15cdcd7a465044cd630 20071780 web optional typo3-src-4.5_4.5.19+dfsg1-5_all.deb
 11ccc939cadfe505d6be58c3ccb1a1d1 281972 web optional typo3-database_4.5.19+dfsg1-5_all.deb
 e5ed7c934ff45181237445c4e494e3bf 289994 web optional typo3-dummy_4.5.19+dfsg1-5_all.deb
 e22fe918ea5e72b82dfa0b8c4058d43c 1384 web optional typo3_4.5.19+dfsg1-5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIVAwUBUTocw41SzelRF+EZAQrXLw/8DyyhXPQQmIILKlf16fkl2J1Kcbu+1iia
GWqT7LtAgMq5JelgfthlZ/N0X0fhUdvscXFfeH/v6VW4oLOx/8QpyU8SWye7KRbc
SvfEZLFqApi+zsQtipYdYgZ0vcNJdL0iMXqFZPv5eMYK/YvulvpReblpRqRFQVhR
6RuXsVkxQ35GVVpO+JGllPzTaiCKwZkz+FD1mp/9uIYUx6cx0VvwKI4mhhxja3yW
vJR9ctri40FpiVxto40lkAug2FJho935oQ+5Z+zuLNp0aMw/boJpG6QlSOlR2Ux0
+u1WsPF5eGr8T0COavGTvRdLU/W7Mq1+gRZ23x1gPD/lkHTr6NuL16SSBYhTG6sr
MVHeOkCFUKy/8DhkQRnnK4ZAkgHgg4EvarYUP6BP3XNSieS2ZHJlbtCyUKmqTTpd
SAsGzJz1z7an+7Wg3Osac5RTpYEzJWqZSK4s0l2o0uFudqc3fsxMRl5pbm21CeCE
U3vaxqU8X1ThPRtcrMe7VkLSkEJsKpwHPS9uSZ/KwwVPpUbCjWsCSu5spFksd7zJ
rDX8BOkvy7Or1wS0Ew6AZOOiedf1Bp+7+WvZBVny1kSfBAmflDuIVDv2iArlH0U4
RjcqCSFiHNlrpw+P5liOzZ4A0S63PtwCfnLou2gNSrbKyh9xGvE1Gyz7AwtIs2WX
C3RWN6vwBWo=
=ldNJ
-----END PGP SIGNATURE-----




Marked as found in versions 4.3.8-1. Request was from Michael Gilbert <mgilbert@debian.org> to control@bugs.debian.org. (Fri, 08 Mar 2013 23:27:05 GMT) Full text and rfc822 format available.

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 09 Mar 2013 21:51:07 GMT) Full text and rfc822 format available.

Merged 702574 702669 Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 09 Mar 2013 21:51:10 GMT) Full text and rfc822 format available.

Marked as found in versions 4.3.9+dfsg1-1+squeeze7. Request was from Carlos Alberto Lopez Perez <clopez@igalia.com> to control@bugs.debian.org. (Sat, 09 Mar 2013 22:21:04 GMT) Full text and rfc822 format available.

Marked as found in versions 4.5.14+dfsg1-1~bpo60+1. Request was from Carlos Alberto Lopez Perez <clopez@igalia.com> to control@bugs.debian.org. (Sat, 09 Mar 2013 22:21:05 GMT) Full text and rfc822 format available.

Marked as found in versions 4.5.19+dfsg1-4.1. Request was from Carlos Alberto Lopez Perez <clopez@igalia.com> to control@bugs.debian.org. (Sat, 09 Mar 2013 22:21:06 GMT) Full text and rfc822 format available.

Bug reopened Request was from Carlos Alberto Lopez Perez <clopez@igalia.com> to control@bugs.debian.org. (Sun, 10 Mar 2013 22:27:06 GMT) Full text and rfc822 format available.

No longer marked as fixed in versions typo3-src/4.5.19+dfsg1-5. Request was from Carlos Alberto Lopez Perez <clopez@igalia.com> to control@bugs.debian.org. (Sun, 10 Mar 2013 22:27:07 GMT) Full text and rfc822 format available.

Marked as fixed in versions 4.5.19+dfsg1-5. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to 702669-submit@bugs.debian.org. (Sun, 10 Mar 2013 22:45:04 GMT) Full text and rfc822 format available.

Marked Bug as done Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to 702669-submit@bugs.debian.org. (Sun, 10 Mar 2013 22:45:05 GMT) Full text and rfc822 format available.

Notification sent to Christian Welzel <gawain@camlann.de>:
Bug acknowledged by developer. (Sun, 10 Mar 2013 22:45:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Christian Welzel <gawain@camlann.de>:
Bug#702574; Package typo3-src. (Tue, 12 Mar 2013 07:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Christian Welzel <gawain@camlann.de>. (Tue, 12 Mar 2013 07:33:03 GMT) Full text and rfc822 format available.

Message #37 received at 702574@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Christian Welzel <gawain@camlann.de>, 702574@bugs.debian.org
Subject: Re: Bug#702574: TYPO3-CORE-SA-2013-001: SQL Injection and Open Redirection in TYPO3 Core
Date: Tue, 12 Mar 2013 08:27:19 +0100
Control: retitle -1 TYPO3-CORE-SA-2013-001: SQL Injection and Open Redirection in TYPO3 Core (CVE-2013-1842, CVE-2013-1843)

Hi

Only for reference, CVE's where assigned to it now:

CVE-2013-1842 for Typo3 Extbase Framework SQL Injection                                                                                         
CVE-2013-1843 for Typo3 Access tracking mechanism Open Redirection

Regards,
Salvatore



Changed Bug title to 'TYPO3-CORE-SA-2013-001: SQL Injection and Open Redirection in TYPO3 Core (CVE-2013-1842, CVE-2013-1843)' from 'TYPO3-CORE-SA-2013-001: SQL Injection and Open Redirection in TYPO3 Core' Request was from Salvatore Bonaccorso <carnil@debian.org> to 702574-submit@bugs.debian.org. (Tue, 12 Mar 2013 07:33:03 GMT) Full text and rfc822 format available.

Marked as fixed in versions 4.3.9+dfsg1-1+squeeze8. Request was from Carlos Alberto Lopez Perez <clopez@igalia.com> to control@bugs.debian.org. (Sat, 16 Mar 2013 16:54:07 GMT) Full text and rfc822 format available.

Reply sent to Christian Welzel <gawain@camlann.de>:
You have taken responsibility. (Sun, 17 Mar 2013 11:06:18 GMT) Full text and rfc822 format available.

Notification sent to Christian Welzel <gawain@camlann.de>:
Bug acknowledged by developer. (Sun, 17 Mar 2013 11:06:18 GMT) Full text and rfc822 format available.

Message #46 received at 702574-close@bugs.debian.org (full text, mbox):

From: Christian Welzel <gawain@camlann.de>
To: 702574-close@bugs.debian.org
Subject: Bug#702574: fixed in typo3-src 4.3.9+dfsg1-1+squeeze8
Date: Sun, 17 Mar 2013 11:02:45 +0000
Source: typo3-src
Source-Version: 4.3.9+dfsg1-1+squeeze8

We believe that the bug you reported is fixed in the latest version of
typo3-src, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 702574@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Welzel <gawain@camlann.de> (supplier of updated typo3-src package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 09 Mar 2013 21:40:09 +0100
Source: typo3-src
Binary: typo3-src-4.3 typo3-database typo3
Architecture: source all
Version: 4.3.9+dfsg1-1+squeeze8
Distribution: squeeze-security
Urgency: high
Maintainer: Christian Welzel <gawain@camlann.de>
Changed-By: Christian Welzel <gawain@camlann.de>
Description: 
 typo3      - The enterprise level open source WebCMS (Meta)
 typo3-database - TYPO3 - The enterprise level open source WebCMS (Database)
 typo3-src-4.3 - TYPO3 - The enterprise level open source WebCMS (Core)
Closes: 702574
Changes: 
 typo3-src (4.3.9+dfsg1-1+squeeze8) squeeze-security; urgency=high
 .
   * Security patch backported from new upstream release 4.5.24 and 4.5.25:
     - fixes: "TYPO3 Security Bulletin TYPO3-CORE-SA-2013-001:
       Several Vulnerabilities in TYPO3 Core" (Closes: 702574)
     - fixes CVE-2013-1842 (SQL injection) and CVE-2013-1843 (Open redirection)
Checksums-Sha1: 
 13020865de3dc9cbbd3ad609670926f70bdf5580 1402 typo3-src_4.3.9+dfsg1-1+squeeze8.dsc
 abcb52f739d01002614322888102c00adad62b72 144353 typo3-src_4.3.9+dfsg1-1+squeeze8.debian.tar.gz
 1fa2f653362bf7ad5afc2e4587ed9c092b3697c3 11302900 typo3-src-4.3_4.3.9+dfsg1-1+squeeze8_all.deb
 11615219725eaaf99aef14782fa110a2672ea144 202662 typo3-database_4.3.9+dfsg1-1+squeeze8_all.deb
 0f154a259cdf76946073bdaff385965a85841c52 1258 typo3_4.3.9+dfsg1-1+squeeze8_all.deb
Checksums-Sha256: 
 365084ad72d078a0393150e631cae1cd17aace3e0b99f0fc5f22da77b05e2c49 1402 typo3-src_4.3.9+dfsg1-1+squeeze8.dsc
 374708b5721f231702046d80519cf569328df08fc17423890b0adaab6702b0c5 144353 typo3-src_4.3.9+dfsg1-1+squeeze8.debian.tar.gz
 2dee997166b055e6a9ae3bb78f1f84ad5fadeb739f4feb9e78101a205cd8da0a 11302900 typo3-src-4.3_4.3.9+dfsg1-1+squeeze8_all.deb
 76ee3f151217d66fb660fd4d6f5dcd2f17645d384dc752c52d1e68b9bae99b62 202662 typo3-database_4.3.9+dfsg1-1+squeeze8_all.deb
 7786d55e4efeccc22f0bfaf2d4e24d381e8d7ee3cff639ef4c05af1a6c2bbe47 1258 typo3_4.3.9+dfsg1-1+squeeze8_all.deb
Files: 
 9c36f8d9d0701bab824d7320f793d3cc 1402 web optional typo3-src_4.3.9+dfsg1-1+squeeze8.dsc
 bffcdb8ee756594d15da4beda1c5a65d 144353 web optional typo3-src_4.3.9+dfsg1-1+squeeze8.debian.tar.gz
 c2e6d43658ffdb20da706a469db4d111 11302900 web optional typo3-src-4.3_4.3.9+dfsg1-1+squeeze8_all.deb
 de214d868c5062cb8657fc76b2b5b219 202662 web optional typo3-database_4.3.9+dfsg1-1+squeeze8_all.deb
 427ac00372e00e27599bce8302eb73a3 1258 web optional typo3_4.3.9+dfsg1-1+squeeze8_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iQEcBAEBCgAGBQJRQ1JQAAoJEG3bU/KmdcClh0gIAI0osGOKZirNZxe0auyZ0Qa6
9YfRpOAbPdz9mX9y97ikJz4iqVu9gsxvj2+031uUq0IjMzvz9jaQ371UMj5qtqpC
1LFQoyBXnmm4mj6Cn4re+auMCb4DIkZszpFK7gwyB+GusaKhL62MKjA48SDU8EE1
Slst5nmh28FtMLL2y84eEJ58+nneuzjO7C3hlSUgRLA4IJvUwOuJUNXwayvNjgtn
HbQQY5SXWB45U/Kiofaurbf+6WXehGBddBlX/3AWY5gz8y2VXmfBayZI3lALyp+T
1KzDvXoyjl1oW4QqHGLCL6NF9NyyRrzrucMd7mvWGisKleViT+CImd1qjlVvzic=
=YbjZ
-----END PGP SIGNATURE-----




Reply sent to Christian Welzel <gawain@camlann.de>:
You have taken responsibility. (Sun, 17 Mar 2013 11:06:19 GMT) Full text and rfc822 format available.

Notification sent to Carlos Alberto Lopez Perez <clopez@igalia.com>:
Bug acknowledged by developer. (Sun, 17 Mar 2013 11:06:19 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 02 Jun 2013 08:12:46 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 14:08:16 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.