25 May 2016
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.1310 TYPO3-CORE-SA-2016-013: Missing Access Check in TYPO3 CMS 25 May 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: TYPO3 Publisher: TYPO3 Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Resolution: Patch/Upgrade Original Bulletin: https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013/ - --------------------------BEGIN INCLUDED TEXT-------------------- TYPO3-CORE-SA-2016-013: Missing Access Check in TYPO3 CMS May 24, 2016 Category: TYPO3 CMS Author: Helmut Hummel Keywords: Missing Access Check, Extbase It has been discovered, that TYPO3 CMS lacks an access check for Extbase actions. Component Type: TYPO3 CMS Release Date: May 24, 2016 Vulnerable subcomponent: Extbase Vulnerability Type: Missing access check Affected Versions: Versions 4.3.0 up to 8.1.0 Severity: Critical Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:O/RC:C CVE: not assigned yet Problem Description: Extbase request handling fails to implement a proper access check for requested controller/ action combinations, which makes it possible for an attacker to execute arbitrary Extbase actions by crafting a special request. To successfully exploit this vulnerability, an attacker must have access to at least one Extbase plugin or module action in a TYPO3 installation. The missing access check inevitably leads to information disclosure or remote code execution, depending on the action that an attacker is able to execute. Solution: Update to TYPO3 versions 6.2.24, 7.6.8 or 8.1.1 that fix the problem described. Alternative Solution: Apply the patches suitable for your TYPO3 branch manually. Alternative Solution: Download the zip archive which contains a folder with a script and patches for all affected TYPO3 versions. (Please note: If you were quick and applied the zip file before the regression was fixed, you need to download this undo zip archive, which contains a script to revert the patches. After running the script, you have to use the script from above to secure your TYPO3 CMS instances.) Notes: TYPO3 installations with at least one publicly available Extbase action, are exploitable without any further authentication. TYPO3 installations without publicly available Extbase actions, are still exploitable for authenticated backend users with access to a backend module, which is based on Extbase. Important Note: The fix introduced changes in the internal request handling of Extbase. In case an such unlikely incompatibility with any extension (that relies on internal API) occurs, the TYPO3 installation still remains fully available and functional, with only little minor issues in Extbase form validation handling. Users of any TYPO3 version from 4.3.0 to 8.1.0 are strongly encouraged to upgrade or to at least apply the patches provided below. Please note, that patching a not supported TYPO3 version can be considered only as temporary mitigation. Upgrade to a supported versions should be performed as soon as possible. Credits: Thanks to Stefan Horlacher from Arcus Security GmbH who discovered and reported the issue, Alex Kellner, who also reported the issue and Oliver Hader for discovering a related vulnerability. General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note: All security related code changes are tagged so that you can easily look them up on our review system. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to firstname.lastname@example.org and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBV0T8CH6ZAP0PgtI9AQKqVBAA1BR7/Y71rtXdTP8FshEhLt0iGZTUAzdy WHrtcc0dm4Tnu7hrj+egOC/wu5TIvZCtCpPz+moiSgxFBDPtes7b1NVsYEbva8ZB 1p9td8/65gK0RPnrfgFUdNClwstCwqe5PmsF/o3LcxTh3slTmhvYUivol0Vq4TOt s0FqLZByJ4qdPNe/23QuM+SaH9TWkQ6R3g0v7S0lSrdxJTG9/Jvkz9LCtqQQMSU3 vFKCPw8fKd3FVnXHC0JcpIm+tU8OOg4ySGjjwXFRymjPepyc1w2oRKlF/Fp45YM4 BQfLTq5rloc++uZk4mOYwZ+ErTYcpAiP3seDUDWzUAF2gQu5GqMctLfslTiTj7Kj j2hp0rtjUB1LeXyk+oTmZkl8yjLk/mcbFjYo1ZQvpweKcs0/7+1Gb/+nqxAhDPGP 8QDLc7ROplaQWN+I+PUzwDPIQ/mAuIlkDS1yAXmQRqtrVlPraVLbcbh2zxObU4bH fiEkQUty4cWMh3dy1IiDgmyfxJH6JGo++ClrzsBkbiCYXDcxOI4uq5uGFgiTKyvS 1Cyhuyiz1C+wHWDjwsE9FwkN6JptR6HGWdVAVD7g8q1AWaq18pD8ts+91bRSt1al JGjbdoBWn74V+yk3wJwcvIXLk1wtzzRa1SbRzfUOPcZvfNPBLZUr1nLhWs72u2I2 jtFZcq0Z58Q= =zx1I -----END PGP SIGNATURE-----