Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.1779 TYPO3-CORE-SA-2013-004: Multiple Vulnerabilities in TYPO3 CMS 11 December 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: TYPO3 Publisher: TYPO3 Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Modify Arbitrary Files -- Remote/Unauthenticated Increased Privileges -- Existing Account Access Privileged Data -- Existing Account Delete Arbitrary Files -- Existing Account Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade Original Bulletin: http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-004 - --------------------------BEGIN INCLUDED TEXT-------------------- TYPO3-CORE-SA-2013-004: Multiple Vulnerabilities in TYPO3 CMS December 10, 2013 Category: TYPO3 CMS Author: Helmut Hummel Keywords: Cross-Site Scripting, XSS, Information Disclosure, Mass Assignment, Open Redirection, Unsafe Unserialize It has been discovered that TYPO3 CMS is vulnerable to Cross-Site Scripting, Information Disclosure, Mass Assignment, Open Redirection and Insecure Unserialize. Component Type: TYPO3 CMS Vulnerability Types: Cross-Site Scripting, Information Disclosure, Mass Assignment, Open Redirection and Insecure Unserialize Overall Severity: Medium Release Date: December 10, 2013 Vulnerable subcomponent: Content Editing Wizards Vulnerability Type: Information Disclosure Affected Versions: Versions 4.5.0 to 4.5.31, 4.7.0 to 4.7.16, 6.0.0 to 6.0.11, 6.1.0 to 6.1.6 and the development branch of 6.2 Severity: Medium Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:N/A:N/E:F/RL:O/RC:C (What's that?) CVE: none assigned yet Problem Description: Failing to check for user permissions, it is possible for authenticated editors to read (but not update or change) content from arbitrary TYPO3 table columns by forging URL parameters. Solution: Update to the TYPO3 version 4.5.32, 4.7.17, 6.0.12 or 6.1.7 that fix the problem described. Credits: Credits go to Security Team member Georg Ringer who discovered and reported the issue. Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 4.5.0 to 4.5.31, 4.7.0 to 4.7.16, 6.0.0 to 6.0.11, 6.1.0 to 6.1.6 and the development branch of 6.2 Severity: Low Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C (What's that?) CVE: none assigned yet Problem Description: Failing to properly encode user input, several content wizards are susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML or JavaScript by crafting URL parameters. Solution: Update to the TYPO3 version 4.5.32, 4.7.17, 6.0.12 or 6.1.7 that fix the problem described. Credits: Credits go to Richard Brain and Security Team member Georg Ringer who discovered and reported the issues. Vulnerability Type: Insecure Unserialize Affected Versions: Versions from 4.5.0 to 4.5.31, 4.7.0 to 4.7.16, 6.0.0 to 6.0.11, 6.1.0 to 6.1.6 and the development branch of 6.2 Severity: Medium Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:N/I:P/A:P/E:F/RL:O/RC:C (What's that?) CVE: none assigned yet Problem Description: Due to a missing signature for an input parameter an attacker could unserialize arbitrary objects within TYPO3. We are aware of a working exploit which can be used to delete arbitrary files which are writable for the PHP server process. A valid backend user login or a successful Cross-Site Request Forgery attack are required to exploit this vulnerability. Solution: Update to the TYPO3 version 4.5.32, 4.7.17, 6.0.12 or 6.1.7 that fix the problem described. Credits: Credits go to Rupert Germann who discovered and reported the issue. Vulnerable subcomponent: Extension Manager Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 4.5.0 to 4.5.31 and 4.7.0 to 4.7.16 Severity: Low Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C (What's that?) CVE: none assigned yet Problem Description: Failing to properly encode user input, the extension manager is susceptible to Cross-Site Scripting. To exploit this vulnerability, attackers could trick authenticated administrators to follow a forged URL which executes injected JavaScript on behalf of the administrator. Solution: Update to the TYPO3 version 4.5.32 or 4.7.17 that fix the problem described. Credits: Credits go to Steffen Mller who discovered and reported the issue. Vulnerable subcomponent: Backend User Administration Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 6.0.0 to 6.0.11, 6.1.0 to 6.1.6 and the development branch of 6.2 Severity: Low Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C (What's that?) CVE: none assigned yet Problem Description: Failing to properly encode user input, the Backend User Administration Module is susceptible to Cross-Site Scripting. To exploit this vulnerability, attackers could trick authenticated administrators to follow a forged URL which executes injected JavaScript on behalf of the administrator. Solution: Update to the TYPO3 version 6.0.12 or 6.1.7 that fix the problem described. Credits: Credits go to Sebastian Nerz and Security Team member Georg Ringer who discovered and reported the issues. Vulnerable subcomponent: Extbase Vulnerability Type: Cross-Site Scripting Affected Versions: Versions from 4.5.0 to 4.5.31, 4.7.0 to 4.7.16, 6.0.0 to 6.0.11, 6.1.0 to 6.1.6 and the development branch of 6.2 Severity: Medium Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:H/RL:O/RC:C (What's that?) CVE: none assigned yet Problem Description: The errorAction method in the ActionController base class of Extbase returns error messages without properly encoding them. Because these error messages can contain user input, this could lead to a Cross-Site Scripting vulnerability in Extbase Framework driven TYPO3 extensions. For this vulnerability to exploited the following conditions must be fulfilled: An Extbase extension must be installed and be available as plugin or module. The plugin or module must have the Rewritten Property Mapper enabled. The errorAction has not been overridden in the controller subclass in a way that removes error messages from the return values. Although we are not aware of any possibility to exploit this issue with the old property mapper or the Extbase version that has been delivered with TYPO3 4.5.x, we removed potentially offending output from these versions as well. Hint: If you have customized the errorAction in your Extbase extension which have controller classes that override the error action,we advice you to check that the error messages returned in these actions only contain static strings and are not derived from any kind of user input. If you are not sure whether your code is fine in that regard, feel free to ask on a public mailing list or the forum. Important: We have received reports that this issue has been actively exploited in the wild. Solution: Update to the TYPO3 version 4.5.32, 4.7.17, 6.0.12 or 6.1.7 that fix the problem described. Note: The same problem applies to the TYPO3 Flow Framework.The according advisory is: TYPO3-FLOW-SA-2013-001 Credits: Credits go to Andr Koch who discovered and reported the issue. Vulnerable subcomponent: OpenID Extension Vulnerability Type: Open Redirection Affected Versions: Versions from 4.5.0 to 4.5.31, 4.7.0 to 4.7.16, 6.0.0 to 6.0.11, 6.1.0 to 6.1.6 and the development branch of 6.2 Severity: Low Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:O/RC:C (What's that?) CVE: none assigned yet Problem Description: Failing to validate user-provided input, the openid extension allows redirects to arbitrary URLs. For this vulnerability to exist, the openid extension must be installed. Solution: Update to the TYPO3 version 4.5.32, 4.7.17, 6.0.12 or 6.1.7 that fix the problem described. Credits: Credits go to Security Team member Georg Ringer who discovered and reported the issue. Vulnerable subcomponent: Extension table administration library Vulnerability Type: Mass Assignment Affected Versions: Versions from 4.5.0 to 4.5.31, 4.7.0 to 4.7.16 and 6.0.0 to 6.0.11 Severity: Medium Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C (What's that?) CVE: none assigned yet Problem Description: Extensions that make use of the feuser_adminLib.inc library to create records are susceptible to Mass Assignment. This means that any links for creating records generated by this library can be manipulated to fill any field in the configured database table with arbitrary values. An attack is not limited to the fields listed in the configuration or the link itself. This library has been deprecated and removed from TYPO3 versions 6.1 and later but we still decided to fix this issue in previous versions. Hint: Extension authors are highly encouraged not to use this deprecated library anymore. Solution: Update to the TYPO3 version 4.5.32, 4.7.17 or 6.0.12 that fix the problem described. Credits: Credits go to Bernhard Kraft who discovered and reported the issue. Vulnerable subcomponent: (Old) Form Content Element Vulnerability Type: Information Disclosure potentially leading to Privilege Escalation Affected Versions: Versions from 4.5.0 to 4.5.31, 4.7.0 to 4.7.16, 6.0.0 to 6.0.11, 6.1.0 to 6.1.6 and the development branch of 6.2 Severity: Low Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:N/A:N/E:F/RL:O/RC:C (What's that?) CVE: none assigned yet Problem Description: Editors that have access to the (old) form content element were able to generate arbitrary signatures (HMACs) that could be used in contexts which the editor should not have access to. As a precaution we changed the generation of the signature in a way to prevent usage in a different context. Note: The old form content element is used by TYPO3 if the delivered extension "form" is not active. Solution: Update to the TYPO3 version 4.5.32, 4.7.17, 6.0.12 or 6.1.7 that fix the problem described. Credits: Credits go to Security Team member Franz Jahn who discovered and reported the issue. General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note: All security related code changes are tagged so that you can easily look them up on our review system. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUqfJnBLndAQH1ShLAQKK8BAAg4YtJ6Q4Jg6ga8R1VoVkLJdWlCM6MGhe 3Y4VA9ScBdDr0VcMqQ/v69OuLieBoX7+Oe+vWNljwAvL0ajr3KsUY2BCAD0lKPJ6 cLNhvbE0Jq+ODwfMPx6F+KQmTN9u6mhFdc4x2rgw7+djgdtAfGirOhJgfgla9JvS sm/PLaYgWs3AMf8D3gP0BnbKyjFcn7HCjaeJxyH2uRyQL8N0qGRUgIj712WI6t+u MpUXk2jEsPKjquWcPAbyFoMMm2HCjj0Xfau6/+nUcC/SG0u3Z32jaIn/9uiesLsG ECUjbh/KMEP33fCPMLobNI0GzmVGyenULIxjiLUkYxkgu619upaZKCbOHwX16H12 DzCtOpEsmx6FQHjXUplyH9kvvCU0kYeRs96NGHKsl5MOgvC/uf1zaFo0jcvKJzkj mYOL7E4tDawmjjlocVSx5iC959/wvayQxhYsCURvjB9NYm9FH8tZnDLTNw0ndbF3 ImShrP9t1d4hT4tiV8BxJwm78TBv8MZaqppOyOaw94gtPjT7XkKLDyPe1pBBU42R bdAABBM9P2ZwizHDFv4SNVwhR4dPU6I5wPKkHEvXKnwWD9UmQzA/pFhbHqILeY2m r8ThDqpp6501JkIpECYhO39oOcH/DKHjIZANUHJKNg7Bv7YOE78srkxCOHGKXigp ZWw+OzlIRxA= =eJEm -----END PGP SIGNATURE-----