Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.0820
TYPO3-CORE-SA-2014-001: Multiple Vulnerabilities in TYPO3 CMS
26 May 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: TYPO3
Publisher: TYPO3
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Provide Misleading Information -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Reduced Security -- Existing Account
Resolution: Patch/Upgrade
Original Bulletin:
http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2014-001/
- --------------------------BEGIN INCLUDED TEXT--------------------
TYPO3-CORE-SA-2014-001: Multiple Vulnerabilities in TYPO3 CMS
May 22, 2014
Category: TYPO3 CMS
Author: Helmut Hummel
Keywords: TYPO3 CMS, TYPO3-CORE-SA-2014-001, Cross-Site Scripting, Insecure
Unserialize, Improper Session Invalidation, Authentication Bypass, Information
Disclosure, Host Spoofing
It has been discovered that TYPO3 CMS is vulnerable to Cross-Site Scripting,
Insecure Unserialize, Improper Session Invalidation, Authentication Bypass,
Information Disclosure and Host Spoofing.
Component Type: TYPO3 CMS
Vulnerability Types: Cross-Site Scripting, Insecure Unserialize, Improper
Session Invalidation, Authentication Bypass, Information Disclosure and Host
Spoofing
Overall Severity: Medium
Release Date: May 22, 2014
Vulnerability Type: Host Spoofing
Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13,
6.1.0 to 6.1.8 and 6.2.0 to 6.2.2
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:O/RC:C (What's that?)
CVE: not assigned yet
Problem Description: Failing to properly validate the HTTP host-header TYPO3
CMS is susceptible to host spoofing. TYPO3 uses the HTTP host-header to
generate absolute URLs in several places like 404 handling, http(s)
enforcement, password reset links and many more. Since the host header itself
is provided by the client it can be forged to any value, even in a name based
virtual hosts environment. A blog post describes this problem in great detail.
Solution: Update to TYPO3 versions 4.5.34, 4.7.19, 6.0.14, 6.1.9 or 6.2.3 and
check or update your web server configuration as described below.
Additional Notes: These versions introduce a new configuration option:
$GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern']
This option can contain either the value "SERVER_NAME" or a regular expression
pattern that matches all host names that are considered trustworthy for the
particular TYPO3 installation. "SERVER_NAME" is the default value shipped with
the above mentioned TYPO3 versions. With this option value in effect, TYPO3
checks the currently submitted host-header against the SERVER_NAME variable.
The SERVER_NAME variable contains trusted values in the following cases:
Apache Webserver: Apache is set up to use name based virtual hosts while the
TYPO3 installation is part of one virtual host and not the default host. Only
values that are part of the ServerName or ServerAlias values in the virtual
host configuration are then set as SERVER_NAME.
Nginx Webserver: Nginx is set up with different servers blocks while the TYPO3
installation is not part of the "catch all" server block. By default only the
first value of the server_name option is taken into account to populate the
SERVER_NAME variable. If you specified more than one server name in your Nginx
configuration you have to additionally add the following configuration:
fastcgi_param SERVER_NAME $host;
If TYPO3 is served by Apache from the default host, updating to the current
TYPO3 versions is not enough! Apache then sets the SERVER_NAME variable
directly to the (untrusted) host-header value. In such a setup you must either
set "UseCannonicalName yes" in your Apache configuration, or change the TYPO3
configuration option to a regular expression that matches all trusted host
names in your TYPO3 installation.
IMPORTANT: We tried hard to avoid a breaking change with these new versions
and at the same time deliver a secure default setup for most users. We may
have missed edge cases (like other web servers than the above, or a complex
reverse proxy setup) where the default configuration breaks your site after
the update. If you have a (server) setup that is considerably different from
the scenarios described above, you should test if your TYPO3 installation
still works after the update with the provided default configuration.
Credits: Credits go to Security Team Member Helmut Hummel who discovered and
reported the issue and to Wouter van Dongen who discovered and reported a
particular exploit possibility. Vulnerable subcomponent: Color Picker Wizard
Vulnerability Type: Insecure Unserialize
Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13
and 6.1.0 to 6.1.8
Severity: Low
Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:N/I:P/A:P/E:F/RL:O/RC:C (What's that?)
CVE: not assigned yet
Problem Description: Failing to validate authenticity of a passed serialized
string, the color picker wizard is susceptible to insecure unserialize,
allowing authenticated editors to unserialize arbitrary PHP objects.
Solution: Update to TYPO3 versions 4.5.34, 4.7.19, 6.0.14 or 6.1.9 that fix
the problem described. TYPO3 version 6.2 is not affected by this
vulnerability.
Credits: Credits go to Security Team member Helmut Hummel who discovered and
reported the issue.
Vulnerable subcomponent: Backend
Vulnerability Type: Cross-Site Scripting
Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13,
6.1.0 to 6.1.8 and 6.2.0 to 6.2.2
Severity: Low
Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C (What's that?)
CVE: not assigned yet
Problem Description: Failing to properly encode user input, several backend
components are susceptible to Cross-Site Scripting, allowing authenticated
editors to inject arbitrary HTML or JavaScript by crafting URL parameters.
Solution: Update to TYPO3 versions 4.5.34, 4.7.19, 6.0.14, 6.1.9 or 6.2.3 that
fix the problem described.
Credits: Credits go to Security Team members Georg Ringer and Franz Jahn and
Marc Bastian Heinrichs who discovered and reported the issues.
Vulnerable subcomponent: ExtJS
Vulnerability Type: Cross-Site Scripting
Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13,
6.1.0 to 6.1.8 and 6.2.0 to 6.2.2
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C (What's that?)
CVE: not assigned yet
Problem Description: The ExtJS JavaScript framework that is shipped with TYPO3
also delivers a flash file to show charts. This file is susceptible to
Cross-Site Scripting. This vulnerability can be exploited without any
authentication.
Solution: Update to TYPO3 versions 4.5.34, 4.7.19, 6.0.14, 6.1.9 or 6.2.3 that
fix the problem described or delete the file
typo3/contrib/extjs/resources/charts.swf as it is not used by TYPO3 at all.
Credits: Credits go to Ronald Klomp who discovered and reported the issue.
Vulnerable subcomponent: Authentication
Vulnerability Type: Improper Session Invalidation
Affected Versions: Versions 6.2.0 to 6.2.2
Severity: Low
Suggested CVSS v2.0: AV:L/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C (What's that?)
CVE: not assigned yet
Problem Description: Failing to properly invalidate user sessions that have
timed out, it is possible to successfully transmit one authenticated request
before the session finally is discarded.
Solution: Update to TYPO3 version 6.2.3 that fix the problem described.
Credits: Credits go to Markus Klein who discovered and reported the issue.
Vulnerability Type: Authentication Bypass
Affected Versions: All TYPO3 versions not configured to use salted passwords
Severity: medium
Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C (What's that?)
CVE: not assigned yet
Problem Description: When the use of salted password is disabled (which is
enabled by default since TYPO3 4.6 and required since TYPO3 6.2) passwords for
backend access are stored as md5 hash in the database. This hash (e.g. taken
from a successful SQL injection) can be used directly to authenticate backend
users without knowing or reverse engineering the password.
Solution: Update to TYPO3 version 6.2 or higher or configure TYPO3 to make use
of salted passwords by installing and configuring the saltepasswords system
component.
Note: In TYPO3 version 6.2 it is still possible to disable password salt
hashing for frontend users. It should be apparent that such setup is insecure
and not recommended.
Vulnerable subcomponent: Extbase Framework
Vulnerability Type: Information Disclosure
Affected Versions: Versions 6.2.0 to 6.2.2
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:O/RC:C (What's that?)
CVE: not assigned yet
Problem Description: Failing to respect user groups of logged in users when
caching queries, Extbase is susceptible to information disclosure. The query
caching (introduced in Extbase 6.2) used to cache queries that query results
for a specific user group were presented to a different group.
Solution: Update to TYPO3 version 6.2.3 that fix the problem described.
Credits: Credits go to Jan Kiesewetter who discovered and reported the issue.
General Advice: Follow the recommendations that are given in the TYPO3
Security Guide. Please subscribe to the typo3-announce mailing list.
General Note: All security related code changes are tagged so that you can
easily look them up on our review system.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU4LTohLndAQH1ShLAQLtGg//cbbnLqLzfRelzg+/tfNFiaCngHBj3gGk
fhpIxvN667N4LR3sNhDjjyyAvlje3twgP3qMfMbuBCM7EYPeA8SfEl+PgrEsHOA9
Bxx8dv0+XefngVU1kmnyidUWVk5YEU6NOaBRepw1eum4f0JILDHNPg9BrFwlB5ec
EWjONgFk+r+oq2vjjadoHjgIMkJzHwp74SzCrfU/IbULpYEEFOhsWkzlj8irqGHD
IyeNFXQf/my+reckajuEKGfZ3c6nyZWGzYSNLAN7HFJPpe5B50T4G5jv2w58oIe5
HQotCCJDhiLeOkM7RfxQWHm1UHCt4vbKKTpQaTZvZyYZ/S5y/o/UobJMGRlV1icZ
BpdDQ8SuoOjpUbgxcl8pCj87XXQPmA6M5fKEQ27uzKMBYFJfUXG/meJzoSbPsrTw
jXqsKSsy6/w9mLdMOqypG7S4KVrfdehUaf1ySz6rD3HwHYryqdwqhE1EygNjgsyF
1Gzuc7LcIjLESVSs6MRPeRMEWc7dvQ7XzgSZUj4mER/1psTnH3HTqqESwhMJ6q27
Oiud6lNBMpKc+LwNsjHwiaEGRcps7ndl8noA3Fj+WWSCmQmZNzLRkpMHoXT2tb2S
vJt0r+rEZUm5x6bztRmUSe7xuLqK40Mai09genwBIPZuoB9RVSf9hIYUUdvt67qK
5ND+DEZOQJs=
=Bp6Y
-----END PGP SIGNATURE-----