Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0820 TYPO3-CORE-SA-2014-001: Multiple Vulnerabilities in TYPO3 CMS 26 May 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: TYPO3 Publisher: TYPO3 Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Reduced Security -- Existing Account Resolution: Patch/Upgrade Original Bulletin: http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2014-001/ - --------------------------BEGIN INCLUDED TEXT-------------------- TYPO3-CORE-SA-2014-001: Multiple Vulnerabilities in TYPO3 CMS May 22, 2014 Category: TYPO3 CMS Author: Helmut Hummel Keywords: TYPO3 CMS, TYPO3-CORE-SA-2014-001, Cross-Site Scripting, Insecure Unserialize, Improper Session Invalidation, Authentication Bypass, Information Disclosure, Host Spoofing It has been discovered that TYPO3 CMS is vulnerable to Cross-Site Scripting, Insecure Unserialize, Improper Session Invalidation, Authentication Bypass, Information Disclosure and Host Spoofing. Component Type: TYPO3 CMS Vulnerability Types: Cross-Site Scripting, Insecure Unserialize, Improper Session Invalidation, Authentication Bypass, Information Disclosure and Host Spoofing Overall Severity: Medium Release Date: May 22, 2014 Vulnerability Type: Host Spoofing Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13, 6.1.0 to 6.1.8 and 6.2.0 to 6.2.2 Severity: Medium Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:O/RC:C (What's that?) CVE: not assigned yet Problem Description: Failing to properly validate the HTTP host-header TYPO3 CMS is susceptible to host spoofing. TYPO3 uses the HTTP host-header to generate absolute URLs in several places like 404 handling, http(s) enforcement, password reset links and many more. Since the host header itself is provided by the client it can be forged to any value, even in a name based virtual hosts environment. A blog post describes this problem in great detail. Solution: Update to TYPO3 versions 4.5.34, 4.7.19, 6.0.14, 6.1.9 or 6.2.3 and check or update your web server configuration as described below. Additional Notes: These versions introduce a new configuration option: $GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern'] This option can contain either the value "SERVER_NAME" or a regular expression pattern that matches all host names that are considered trustworthy for the particular TYPO3 installation. "SERVER_NAME" is the default value shipped with the above mentioned TYPO3 versions. With this option value in effect, TYPO3 checks the currently submitted host-header against the SERVER_NAME variable. The SERVER_NAME variable contains trusted values in the following cases: Apache Webserver: Apache is set up to use name based virtual hosts while the TYPO3 installation is part of one virtual host and not the default host. Only values that are part of the ServerName or ServerAlias values in the virtual host configuration are then set as SERVER_NAME. Nginx Webserver: Nginx is set up with different servers blocks while the TYPO3 installation is not part of the "catch all" server block. By default only the first value of the server_name option is taken into account to populate the SERVER_NAME variable. If you specified more than one server name in your Nginx configuration you have to additionally add the following configuration: fastcgi_param SERVER_NAME $host; If TYPO3 is served by Apache from the default host, updating to the current TYPO3 versions is not enough! Apache then sets the SERVER_NAME variable directly to the (untrusted) host-header value. In such a setup you must either set "UseCannonicalName yes" in your Apache configuration, or change the TYPO3 configuration option to a regular expression that matches all trusted host names in your TYPO3 installation. IMPORTANT: We tried hard to avoid a breaking change with these new versions and at the same time deliver a secure default setup for most users. We may have missed edge cases (like other web servers than the above, or a complex reverse proxy setup) where the default configuration breaks your site after the update. If you have a (server) setup that is considerably different from the scenarios described above, you should test if your TYPO3 installation still works after the update with the provided default configuration. Credits: Credits go to Security Team Member Helmut Hummel who discovered and reported the issue and to Wouter van Dongen who discovered and reported a particular exploit possibility. Vulnerable subcomponent: Color Picker Wizard Vulnerability Type: Insecure Unserialize Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13 and 6.1.0 to 6.1.8 Severity: Low Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:N/I:P/A:P/E:F/RL:O/RC:C (What's that?) CVE: not assigned yet Problem Description: Failing to validate authenticity of a passed serialized string, the color picker wizard is susceptible to insecure unserialize, allowing authenticated editors to unserialize arbitrary PHP objects. Solution: Update to TYPO3 versions 4.5.34, 4.7.19, 6.0.14 or 6.1.9 that fix the problem described. TYPO3 version 6.2 is not affected by this vulnerability. Credits: Credits go to Security Team member Helmut Hummel who discovered and reported the issue. Vulnerable subcomponent: Backend Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13, 6.1.0 to 6.1.8 and 6.2.0 to 6.2.2 Severity: Low Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C (What's that?) CVE: not assigned yet Problem Description: Failing to properly encode user input, several backend components are susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML or JavaScript by crafting URL parameters. Solution: Update to TYPO3 versions 4.5.34, 4.7.19, 6.0.14, 6.1.9 or 6.2.3 that fix the problem described. Credits: Credits go to Security Team members Georg Ringer and Franz Jahn and Marc Bastian Heinrichs who discovered and reported the issues. Vulnerable subcomponent: ExtJS Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13, 6.1.0 to 6.1.8 and 6.2.0 to 6.2.2 Severity: Medium Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C (What's that?) CVE: not assigned yet Problem Description: The ExtJS JavaScript framework that is shipped with TYPO3 also delivers a flash file to show charts. This file is susceptible to Cross-Site Scripting. This vulnerability can be exploited without any authentication. Solution: Update to TYPO3 versions 4.5.34, 4.7.19, 6.0.14, 6.1.9 or 6.2.3 that fix the problem described or delete the file typo3/contrib/extjs/resources/charts.swf as it is not used by TYPO3 at all. Credits: Credits go to Ronald Klomp who discovered and reported the issue. Vulnerable subcomponent: Authentication Vulnerability Type: Improper Session Invalidation Affected Versions: Versions 6.2.0 to 6.2.2 Severity: Low Suggested CVSS v2.0: AV:L/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C (What's that?) CVE: not assigned yet Problem Description: Failing to properly invalidate user sessions that have timed out, it is possible to successfully transmit one authenticated request before the session finally is discarded. Solution: Update to TYPO3 version 6.2.3 that fix the problem described. Credits: Credits go to Markus Klein who discovered and reported the issue. Vulnerability Type: Authentication Bypass Affected Versions: All TYPO3 versions not configured to use salted passwords Severity: medium Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C (What's that?) CVE: not assigned yet Problem Description: When the use of salted password is disabled (which is enabled by default since TYPO3 4.6 and required since TYPO3 6.2) passwords for backend access are stored as md5 hash in the database. This hash (e.g. taken from a successful SQL injection) can be used directly to authenticate backend users without knowing or reverse engineering the password. Solution: Update to TYPO3 version 6.2 or higher or configure TYPO3 to make use of salted passwords by installing and configuring the saltepasswords system component. Note: In TYPO3 version 6.2 it is still possible to disable password salt hashing for frontend users. It should be apparent that such setup is insecure and not recommended. Vulnerable subcomponent: Extbase Framework Vulnerability Type: Information Disclosure Affected Versions: Versions 6.2.0 to 6.2.2 Severity: Medium Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:O/RC:C (What's that?) CVE: not assigned yet Problem Description: Failing to respect user groups of logged in users when caching queries, Extbase is susceptible to information disclosure. The query caching (introduced in Extbase 6.2) used to cache queries that query results for a specific user group were presented to a different group. Solution: Update to TYPO3 version 6.2.3 that fix the problem described. Credits: Credits go to Jan Kiesewetter who discovered and reported the issue. General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note: All security related code changes are tagged so that you can easily look them up on our review system. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU4LTohLndAQH1ShLAQLtGg//cbbnLqLzfRelzg+/tfNFiaCngHBj3gGk fhpIxvN667N4LR3sNhDjjyyAvlje3twgP3qMfMbuBCM7EYPeA8SfEl+PgrEsHOA9 Bxx8dv0+XefngVU1kmnyidUWVk5YEU6NOaBRepw1eum4f0JILDHNPg9BrFwlB5ec EWjONgFk+r+oq2vjjadoHjgIMkJzHwp74SzCrfU/IbULpYEEFOhsWkzlj8irqGHD IyeNFXQf/my+reckajuEKGfZ3c6nyZWGzYSNLAN7HFJPpe5B50T4G5jv2w58oIe5 HQotCCJDhiLeOkM7RfxQWHm1UHCt4vbKKTpQaTZvZyYZ/S5y/o/UobJMGRlV1icZ BpdDQ8SuoOjpUbgxcl8pCj87XXQPmA6M5fKEQ27uzKMBYFJfUXG/meJzoSbPsrTw jXqsKSsy6/w9mLdMOqypG7S4KVrfdehUaf1ySz6rD3HwHYryqdwqhE1EygNjgsyF 1Gzuc7LcIjLESVSs6MRPeRMEWc7dvQ7XzgSZUj4mER/1psTnH3HTqqESwhMJ6q27 Oiud6lNBMpKc+LwNsjHwiaEGRcps7ndl8noA3Fj+WWSCmQmZNzLRkpMHoXT2tb2S vJt0r+rEZUm5x6bztRmUSe7xuLqK40Mai09genwBIPZuoB9RVSf9hIYUUdvt67qK 5ND+DEZOQJs= =Bp6Y -----END PGP SIGNATURE-----