Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.0948 Multiple vulnerabilities have been identified in TYPO3 CMS 13 April 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: TYPO3 Publisher: TYPO3 Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Increased Privileges -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Existing Account Unauthorised Access -- Existing Account Resolution: Patch/Upgrade Original Bulletin: https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-009 https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-010 https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-011 https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-012 Comment: This bulletin contains four (4) TYPO3 security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- TYPO3-CORE-SA-2016-009: Cross-Site Scripting in TYPO3 Backend April 12, 2016 Category: TYPO3 CMS Author: Helmut Hummel Keywords: Backend, Cross-Site Scripting, XSS It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting. Component Type: TYPO3 CMS Release Date: April 12, 2016 Vulnerable subcomponent: Backend Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 6.2.0 to 6.2.19, 7.6.0 to 7.6.4 and 8.0.0 Severity: Medium Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:P/RL:O/RC:C CVE: not assigned yet Problem Description: Failing to properly encode user input, some backend components are vulnerable to Cross-Site Scripting. A valid backend user account is needed to exploit this vulnerability. Solution: Update to TYPO3 versions 6.2.20, 7.6.5 or 8.0.1 that fix the problem described. Credits: Thanks to Georg Ringer, Nicole Cordes and Alexander Grein who discovered and reported the issues. General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note: All security related code changes are tagged so that you can easily look them up on our review system. - ------------------------------------------------------------------------------- TYPO3-CORE-SA-2016-010: Arbitrary File Disclosure in Form Component April 12, 2016 Category: TYPO3 CMS Author: Helmut Hummel Keywords: Arbitrary File Disclosure, Form It has been discovered, that TYPO3 Form Component is susceptible to Arbitrary File Disclosure. Component Type: TYPO3 CMS Release Date: April 12, 2016 Vulnerable subcomponent: Form Vulnerability Type: Arbitrary File Disclosure Affected Versions: Versions 6.2.0 to 6.2.19 Severity: High Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:N/A:N/E:P/RL:O/RC:C CVE: not assigned yet Problem Description: Failing to properly validate user input, the form component is susceptible to Arbitrary File Disclosure. A valid backend user account is needed to exploit this vulnerability. Only forms are vulnerable, which contain upload fields. Solution: Update to TYPO3 versions 6.2.20 that fix the problem described. Credits: Thanks to Gerrit Venema who discovered and reported the issues. General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note: All security related code changes are tagged so that you can easily look them up on our review system. - ------------------------------------------------------------------------------- TYPO3-CORE-SA-2016-011: Authentication Bypass in TYPO3 CMS April 12, 2016 Category: TYPO3 CMS Author: Nicole Cordes Keywords: Authentication Bypass, Core It has been discovered, that TYPO3 CMS is vulnerable to Authentication Bypass. Component Type: TYPO3 CMS Release Date: April 12, 2016 Vulnerable subcomponent: Authentication Vulnerability Type: Authentication Bypass Affected Versions: Versions 6.2.0 to 6.2.19, 7.6.0 to 7.6.4 and 8.0.0 Severity: Medium Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:P/RL:O/RC:C CVE: not assigned yet Problem Description: The default authentication service misses to invalidate empty strings as password. Therefore it is possible to authenticate backend and frontend users without password set in the database. Solution: Update to TYPO3 versions 6.2.20, 7.6.5 or 8.0.1 that fix the problem described. Note: TYPO3 does not allow to create user accounts without a password. Your TYPO3 installation might only be affected if there is a third party component creating user accounts without password by directly manipulating the database. Credits: Thanks to Kevin Ditscheid who discovered and reported the issue. General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note: All security related code changes are tagged so that you can easily look them up on our review system. - ------------------------------------------------------------------------------- TYPO3-CORE-SA-2016-012: Privilege Escalation in TYPO3 CMS April 12, 2016 Category: TYPO3 CMS Author: Helmut Hummel Keywords: Information Disclosure, Version It has been discovered, that TYPO3 CMS is vulnerable to Privilege Escalation. Component Type: TYPO3 CMS Release Date: April 12, 2016 Vulnerable subcomponent: Version Vulnerability Type: Privilege Escalation Affected Versions: Versions 6.2.0 to 6.2.19, 7.6.0 to 7.6.4 and 8.0.0 Severity: Medium Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:P/RL:O/RC:C CVE: not assigned yet Problem Description: The workspace/ version preview link created by a privileged (backend) user could be abused to obtain certain editing permission, if the admin panel is configured to be shown. A valid preview link is required to exploit this vulnerability. Solution: Update to TYPO3 versions 6.2.20, 7.6.5 or 8.0.1 that fix the problem described. Credits: Thanks to Helmut Hummel who discovered and reported the issue. General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note: All security related code changes are tagged so that you can easily look them up on our review system. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVw3Z2H6ZAP0PgtI9AQJReRAAneTBB68IyPpG53N7SX4qeXym+u8doEaZ TYNtg/aaRgy4OkWWDJsCt/J4NPw9w4Kvazyx3DOSm7LAnBGlb9dw/aNhXGeYVYwK M12Rhlqz6DS5vj/Bhh3JxT9TAn4KoiTJ63iB5fP99jguaX7YjKRaL43UWLOHCY2e 8NopMIYt5WHSwx5/ghuhRmsVPTXKAbaQqa0v7halI9BAVZ2EmLHLMgOKDkXbjMJh wC/dlbPmQsNY7LIrMsqu6e4lT4fmbB3yTB4wMzR5CxoBDSaJ1MqpmojVpAaIT3iA 4GXazwshfdCG5v0bpZvdrbQlPSa+KFlwMygQXhx2/F4NRuvFdkiv2J+r69lf+C38 Z68WRyEUlHNMuSZ4oIq18Tq3c/rRbvyDPuwrAwlCiIhBNCjzPHtSA9QKu9xjo3ES ebCxrskqRjaFV7J6Z1UQe5PVxKtrTtgC0TrWehG+k72/q8SgGAO5WO/AvEu0UXeL qgnh9ZG0ZeATuM+vZgM79QY8gOdtcpqTpFGhKFlwGVuC36w8cxerxo19ui6tDpKC 1dMdBccrgswf1kMxB2nTAmLp1r4XRlxOJFrwF1YBCC8NP/gvqBekrE5oTYeD1B91 zeKKeHV7jbGuI2TTRJowylM/c7Qslm6U03BSmSg9pfXsALxkAdUOKSMofRzn8hK4 N901qRuG7N8= =sejT -----END PGP SIGNATURE-----