Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1779
TYPO3-CORE-SA-2013-004: Multiple Vulnerabilities in TYPO3 CMS
11 December 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: TYPO3
Publisher: TYPO3
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Modify Arbitrary Files -- Remote/Unauthenticated
Increased Privileges -- Existing Account
Access Privileged Data -- Existing Account
Delete Arbitrary Files -- Existing Account
Cross-site Scripting -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Resolution: Patch/Upgrade
Original Bulletin:
http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-004
- --------------------------BEGIN INCLUDED TEXT--------------------
TYPO3-CORE-SA-2013-004: Multiple Vulnerabilities in TYPO3 CMS
December 10, 2013
Category: TYPO3 CMS Author: Helmut Hummel Keywords: Cross-Site Scripting, XSS,
Information Disclosure, Mass Assignment, Open Redirection, Unsafe Unserialize
It has been discovered that TYPO3 CMS is vulnerable to Cross-Site Scripting,
Information Disclosure, Mass Assignment, Open Redirection and Insecure
Unserialize.
Component Type: TYPO3 CMS
Vulnerability Types: Cross-Site Scripting, Information Disclosure, Mass
Assignment, Open Redirection and Insecure Unserialize
Overall Severity: Medium
Release Date: December 10, 2013 Vulnerable subcomponent: Content Editing
Wizards
Vulnerability Type: Information Disclosure
Affected Versions: Versions 4.5.0 to 4.5.31, 4.7.0 to 4.7.16, 6.0.0 to 6.0.11,
6.1.0 to 6.1.6 and the development branch of 6.2
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:N/A:N/E:F/RL:O/RC:C (What's that?)
CVE: none assigned yet
Problem Description: Failing to check for user permissions, it is possible for
authenticated editors to read (but not update or change) content from
arbitrary TYPO3 table columns by forging URL parameters.
Solution: Update to the TYPO3 version 4.5.32, 4.7.17, 6.0.12 or 6.1.7 that fix
the problem described.
Credits: Credits go to Security Team member Georg Ringer who discovered and
reported the issue.
Vulnerability Type: Cross-Site Scripting
Affected Versions: Versions 4.5.0 to 4.5.31, 4.7.0 to 4.7.16, 6.0.0 to 6.0.11,
6.1.0 to 6.1.6 and the development branch of 6.2
Severity: Low
Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C (What's that?)
CVE: none assigned yet
Problem Description: Failing to properly encode user input, several content
wizards are susceptible to Cross-Site Scripting, allowing authenticated
editors to inject arbitrary HTML or JavaScript by crafting URL parameters.
Solution: Update to the TYPO3 version 4.5.32, 4.7.17, 6.0.12 or 6.1.7 that fix
the problem described.
Credits: Credits go to Richard Brain and Security Team member Georg Ringer who
discovered and reported the issues.
Vulnerability Type: Insecure Unserialize
Affected Versions: Versions from 4.5.0 to 4.5.31, 4.7.0 to 4.7.16, 6.0.0 to
6.0.11, 6.1.0 to 6.1.6 and the development branch of 6.2
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:N/I:P/A:P/E:F/RL:O/RC:C (What's that?)
CVE: none assigned yet
Problem Description: Due to a missing signature for an input parameter an
attacker could unserialize arbitrary objects within TYPO3. We are aware of a
working exploit which can be used to delete arbitrary files which are writable
for the PHP server process. A valid backend user login or a successful
Cross-Site Request Forgery attack are required to exploit this vulnerability.
Solution: Update to the TYPO3 version 4.5.32, 4.7.17, 6.0.12 or 6.1.7 that fix
the problem described.
Credits: Credits go to Rupert Germann who discovered and reported the issue.
Vulnerable subcomponent: Extension Manager
Vulnerability Type: Cross-Site Scripting
Affected Versions: Versions 4.5.0 to 4.5.31 and 4.7.0 to 4.7.16
Severity: Low
Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C (What's that?)
CVE: none assigned yet
Problem Description: Failing to properly encode user input, the extension
manager is susceptible to Cross-Site Scripting. To exploit this vulnerability,
attackers could trick authenticated administrators to follow a forged URL
which executes injected JavaScript on behalf of the administrator.
Solution: Update to the TYPO3 version 4.5.32 or 4.7.17 that fix the problem
described.
Credits: Credits go to Steffen Mller who discovered and reported the issue.
Vulnerable subcomponent: Backend User Administration
Vulnerability Type: Cross-Site Scripting
Affected Versions: Versions 6.0.0 to 6.0.11, 6.1.0 to 6.1.6 and the
development branch of 6.2
Severity: Low
Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C (What's that?)
CVE: none assigned yet
Problem Description: Failing to properly encode user input, the Backend User
Administration Module is susceptible to Cross-Site Scripting. To exploit this
vulnerability, attackers could trick authenticated administrators to follow a
forged URL which executes injected JavaScript on behalf of the administrator.
Solution: Update to the TYPO3 version 6.0.12 or 6.1.7 that fix the problem
described.
Credits: Credits go to Sebastian Nerz and Security Team member Georg Ringer
who discovered and reported the issues.
Vulnerable subcomponent: Extbase
Vulnerability Type: Cross-Site Scripting
Affected Versions: Versions from 4.5.0 to 4.5.31, 4.7.0 to 4.7.16, 6.0.0 to
6.0.11, 6.1.0 to 6.1.6 and the development branch of 6.2
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:H/RL:O/RC:C (What's that?)
CVE: none assigned yet
Problem Description: The errorAction method in the ActionController base class
of Extbase returns error messages without properly encoding them. Because
these error messages can contain user input, this could lead to a Cross-Site
Scripting vulnerability in Extbase Framework driven TYPO3 extensions. For this
vulnerability to exploited the following conditions must be fulfilled:
An Extbase extension must be installed and be available as plugin or
module. The plugin or module must have the Rewritten Property Mapper enabled.
The errorAction has not been overridden in the controller subclass in a way
that removes error messages from the return values.
Although we are not aware of any possibility to exploit this issue with the
old property mapper or the Extbase version that has been delivered with TYPO3
4.5.x, we removed potentially offending output from these versions as well.
Hint: If you have customized the errorAction in your Extbase extension which
have controller classes that override the error action,we advice you to check
that the error messages returned in these actions only contain static strings
and are not derived from any kind of user input. If you are not sure whether
your code is fine in that regard, feel free to ask on a public mailing list or
the forum.
Important: We have received reports that this issue has been actively
exploited in the wild.
Solution: Update to the TYPO3 version 4.5.32, 4.7.17, 6.0.12 or 6.1.7 that fix
the problem described.
Note: The same problem applies to the TYPO3 Flow Framework.The according
advisory is: TYPO3-FLOW-SA-2013-001
Credits: Credits go to Andr Koch who discovered and reported the issue.
Vulnerable subcomponent: OpenID Extension
Vulnerability Type: Open Redirection
Affected Versions: Versions from 4.5.0 to 4.5.31, 4.7.0 to 4.7.16, 6.0.0 to
6.0.11, 6.1.0 to 6.1.6 and the development branch of 6.2
Severity: Low
Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:O/RC:C (What's that?)
CVE: none assigned yet
Problem Description: Failing to validate user-provided input, the openid
extension allows redirects to arbitrary URLs. For this vulnerability to exist,
the openid extension must be installed.
Solution: Update to the TYPO3 version 4.5.32, 4.7.17, 6.0.12 or 6.1.7 that fix
the problem described.
Credits: Credits go to Security Team member Georg Ringer who discovered and
reported the issue.
Vulnerable subcomponent: Extension table administration library
Vulnerability Type: Mass Assignment
Affected Versions: Versions from 4.5.0 to 4.5.31, 4.7.0 to 4.7.16 and 6.0.0 to
6.0.11
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C (What's that?)
CVE: none assigned yet
Problem Description: Extensions that make use of the feuser_adminLib.inc
library to create records are susceptible to Mass Assignment. This means that
any links for creating records generated by this library can be manipulated to
fill any field in the configured database table with arbitrary values. An
attack is not limited to the fields listed in the configuration or the link
itself. This library has been deprecated and removed from TYPO3 versions 6.1
and later but we still decided to fix this issue in previous versions.
Hint: Extension authors are highly encouraged not to use this deprecated
library anymore.
Solution: Update to the TYPO3 version 4.5.32, 4.7.17 or 6.0.12 that fix the
problem described.
Credits: Credits go to Bernhard Kraft who discovered and reported the issue.
Vulnerable subcomponent: (Old) Form Content Element
Vulnerability Type: Information Disclosure potentially leading to Privilege
Escalation
Affected Versions: Versions from 4.5.0 to 4.5.31, 4.7.0 to 4.7.16, 6.0.0 to
6.0.11, 6.1.0 to 6.1.6 and the development branch of 6.2
Severity: Low
Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:N/A:N/E:F/RL:O/RC:C (What's that?)
CVE: none assigned yet
Problem Description: Editors that have access to the (old) form content
element were able to generate arbitrary signatures (HMACs) that could be used
in contexts which the editor should not have access to. As a precaution we
changed the generation of the signature in a way to prevent usage in a
different context.
Note: The old form content element is used by TYPO3 if the delivered extension
"form" is not active.
Solution: Update to the TYPO3 version 4.5.32, 4.7.17, 6.0.12 or 6.1.7 that fix
the problem described.
Credits: Credits go to Security Team member Franz Jahn who discovered and
reported the issue.
General Advice: Follow the recommendations that are given in the TYPO3
Security Guide. Please subscribe to the typo3-announce mailing list.
General Note: All security related code changes are tagged so that you can
easily look them up on our review system.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUqfJnBLndAQH1ShLAQKK8BAAg4YtJ6Q4Jg6ga8R1VoVkLJdWlCM6MGhe
3Y4VA9ScBdDr0VcMqQ/v69OuLieBoX7+Oe+vWNljwAvL0ajr3KsUY2BCAD0lKPJ6
cLNhvbE0Jq+ODwfMPx6F+KQmTN9u6mhFdc4x2rgw7+djgdtAfGirOhJgfgla9JvS
sm/PLaYgWs3AMf8D3gP0BnbKyjFcn7HCjaeJxyH2uRyQL8N0qGRUgIj712WI6t+u
MpUXk2jEsPKjquWcPAbyFoMMm2HCjj0Xfau6/+nUcC/SG0u3Z32jaIn/9uiesLsG
ECUjbh/KMEP33fCPMLobNI0GzmVGyenULIxjiLUkYxkgu619upaZKCbOHwX16H12
DzCtOpEsmx6FQHjXUplyH9kvvCU0kYeRs96NGHKsl5MOgvC/uf1zaFo0jcvKJzkj
mYOL7E4tDawmjjlocVSx5iC959/wvayQxhYsCURvjB9NYm9FH8tZnDLTNw0ndbF3
ImShrP9t1d4hT4tiV8BxJwm78TBv8MZaqppOyOaw94gtPjT7XkKLDyPe1pBBU42R
bdAABBM9P2ZwizHDFv4SNVwhR4dPU6I5wPKkHEvXKnwWD9UmQzA/pFhbHqILeY2m
r8ThDqpp6501JkIpECYhO39oOcH/DKHjIZANUHJKNg7Bv7YOE78srkxCOHGKXigp
ZWw+OzlIRxA=
=eJEm
-----END PGP SIGNATURE-----