-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0948
        Multiple vulnerabilities have been identified in TYPO3 CMS
                               13 April 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           TYPO3
Publisher:         TYPO3
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Increased Privileges     -- Remote/Unauthenticated      
                   Cross-site Scripting     -- Remote with User Interaction
                   Access Confidential Data -- Existing Account            
                   Unauthorised Access      -- Existing Account            
Resolution:        Patch/Upgrade

Original Bulletin: 
   https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-009
   https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-010
   https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-011
   https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-012

Comment: This bulletin contains four (4) TYPO3 security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

TYPO3-CORE-SA-2016-009: Cross-Site Scripting in TYPO3 Backend

April 12, 2016

Category: TYPO3 CMS
Author: Helmut Hummel
Keywords: Backend, Cross-Site Scripting, XSS

It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting.

Component Type: TYPO3 CMS

Release Date: April 12, 2016

Vulnerable subcomponent: Backend

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 6.2.0 to 6.2.19, 7.6.0 to 7.6.4 and 8.0.0

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:P/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to properly encode user input, some backend 
components are vulnerable to Cross-Site Scripting. A valid backend user 
account is needed to exploit this vulnerability.

Solution: Update to TYPO3 versions 6.2.20, 7.6.5 or 8.0.1 that fix the problem
described.

Credits: Thanks to Georg Ringer, Nicole Cordes and Alexander Grein who 
discovered and reported the issues.

General Advice: Follow the recommendations that are given in the TYPO3 
Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can 
easily look them up on our review system.

- -------------------------------------------------------------------------------

TYPO3-CORE-SA-2016-010: Arbitrary File Disclosure in Form Component

April 12, 2016

Category: TYPO3 CMS
Author: Helmut Hummel
Keywords: Arbitrary File Disclosure, Form

It has been discovered, that TYPO3 Form Component is susceptible to Arbitrary
File Disclosure.

Component Type: TYPO3 CMS

Release Date: April 12, 2016

Vulnerable subcomponent: Form

Vulnerability Type: Arbitrary File Disclosure

Affected Versions: Versions 6.2.0 to 6.2.19

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:N/A:N/E:P/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to properly validate user input, the form 
component is susceptible to Arbitrary File Disclosure. A valid backend user 
account is needed to exploit this vulnerability. Only forms are vulnerable, 
which contain upload fields.

Solution: Update to TYPO3 versions 6.2.20 that fix the problem described.

Credits: Thanks to Gerrit Venema who discovered and reported the issues.

General Advice: Follow the recommendations that are given in the TYPO3 
Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can 
easily look them up on our review system.

- -------------------------------------------------------------------------------

TYPO3-CORE-SA-2016-011: Authentication Bypass in TYPO3 CMS

April 12, 2016

Category: TYPO3 
CMS Author: Nicole Cordes 
Keywords: Authentication Bypass, Core

It has been discovered, that TYPO3 CMS is vulnerable to Authentication Bypass.

Component Type: TYPO3 CMS

Release Date: April 12, 2016

Vulnerable subcomponent: Authentication

Vulnerability Type: Authentication Bypass

Affected Versions: Versions 6.2.0 to 6.2.19, 7.6.0 to 7.6.4 and 8.0.0

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:P/RL:O/RC:C

CVE: not assigned yet

Problem Description: The default authentication service misses to invalidate 
empty strings as password. Therefore it is possible to authenticate backend 
and frontend users without password set in the database.

Solution: Update to TYPO3 versions 6.2.20, 7.6.5 or 8.0.1 that fix the problem
described.

Note: TYPO3 does not allow to create user accounts without a password. Your 
TYPO3 installation might only be affected if there is a third party component
creating user accounts without password by directly manipulating the database.

Credits: Thanks to Kevin Ditscheid who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 
Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can 
easily look them up on our review system.

- -------------------------------------------------------------------------------

TYPO3-CORE-SA-2016-012: Privilege Escalation in TYPO3 CMS

April 12, 2016

Category: TYPO3 CMS

Author: Helmut Hummel

Keywords: Information Disclosure, Version

It has been discovered, that TYPO3 CMS is vulnerable to Privilege Escalation.

Component Type: TYPO3 CMS

Release Date: April 12, 2016

Vulnerable subcomponent: Version

Vulnerability Type: Privilege Escalation

Affected Versions: Versions 6.2.0 to 6.2.19, 7.6.0 to 7.6.4 and 8.0.0

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:P/RL:O/RC:C

CVE: not assigned yet

Problem Description: The workspace/ version preview link created by a 
privileged (backend) user could be abused to obtain certain editing 
permission, if the admin panel is configured to be shown. A valid preview link
is required to exploit this vulnerability.

Solution: Update to TYPO3 versions 6.2.20, 7.6.5 or 8.0.1 that fix the problem
described.

Credits: Thanks to Helmut Hummel who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 
Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can 
easily look them up on our review system.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVw3Z2H6ZAP0PgtI9AQJReRAAneTBB68IyPpG53N7SX4qeXym+u8doEaZ
TYNtg/aaRgy4OkWWDJsCt/J4NPw9w4Kvazyx3DOSm7LAnBGlb9dw/aNhXGeYVYwK
M12Rhlqz6DS5vj/Bhh3JxT9TAn4KoiTJ63iB5fP99jguaX7YjKRaL43UWLOHCY2e
8NopMIYt5WHSwx5/ghuhRmsVPTXKAbaQqa0v7halI9BAVZ2EmLHLMgOKDkXbjMJh
wC/dlbPmQsNY7LIrMsqu6e4lT4fmbB3yTB4wMzR5CxoBDSaJ1MqpmojVpAaIT3iA
4GXazwshfdCG5v0bpZvdrbQlPSa+KFlwMygQXhx2/F4NRuvFdkiv2J+r69lf+C38
Z68WRyEUlHNMuSZ4oIq18Tq3c/rRbvyDPuwrAwlCiIhBNCjzPHtSA9QKu9xjo3ES
ebCxrskqRjaFV7J6Z1UQe5PVxKtrTtgC0TrWehG+k72/q8SgGAO5WO/AvEu0UXeL
qgnh9ZG0ZeATuM+vZgM79QY8gOdtcpqTpFGhKFlwGVuC36w8cxerxo19ui6tDpKC
1dMdBccrgswf1kMxB2nTAmLp1r4XRlxOJFrwF1YBCC8NP/gvqBekrE5oTYeD1B91
zeKKeHV7jbGuI2TTRJowylM/c7Qslm6U03BSmSg9pfXsALxkAdUOKSMofRzn8hK4
N901qRuG7N8=
=sejT
-----END PGP SIGNATURE-----