Re: [Ticket#2012111110000015] TYPO3-CORE-SA-2012-005: Several Vulnerabilities in TYPO3 Core

[TYPO3 Security Team <security () typo3 org>]

Dear Kurt Seifried,

Thank you for your request.

I'm a bit embarrassed about our response time :(

Very sorry for that. Things will vastly improve in the near future!

12/10/2012 22:40 - Kurt Seifried wrote:

> Can the Typo3 security team please confirm the following:
>
> > Component Type: TYPO3 Core Affected Versions: 4.5.0 up to 4.5.20,
> > 4.6.0 up to 4.6.13, 4.7.0 up
> to 4.7.5 and development releases of the 6.0 branch.
> > Vulnerability Types: SQL Injection, Cross-Site Scripting,
> Information Disclosure
>
> so no CVE's needed for this, this is simply a summary of the below issues?

True!

> > Vulnerable subcomponent: TYPO3 Backend History Module Vulnerability
> > Type: SQL Injection, Cross-Site Scripting Solution: Update to the
> > TYPO3 version 4.5.21, 4.6.14 or 4.7.6 that
> fix the problem described!
> > Credits: Credits go to Thomas Worm who discovered and reported the
> issue.
>
> Did he discover both the SQL Injection and the Cross-Site Scripting
> issues? 

No, he only discovered the XSS. We discovered the SQLi while fixing the XSS.

> Can you provide a link to the specific code fixes?

Here it is.
https://review.typo3.org/16304

> so 2 cve's needed correct?

Yes.

> > Vulnerable subcomponent: TYPO3 Backend History Module Vulnerability
> > Type: Information Disclosure
> Solution: Update to the TYPO3 version 4.5.21, 4.6.14 or 4.7.6 that fix
> the problem described!
> > Credits: Credits go to Core Team Member Oliver Hader who
> > discovered
> and fixed the issue.
>
> so one cve needed here? Can you provide a link to the specific code fixes?

Yes.

It's also fixed in the same change:
https://review.typo3.org/16304

> > Vulnerable subcomponent: TYPO3 Backend API Vulnerability Type:
> > Cross-Site Scripting Solution: Update to the TYPO3 version 4.5.21,
> > 4.6.14 or 4.7.6 that
> fix the problem described!
> > Credits: Credits go to Johannes Feustel who discovered and
> > reported
> the issue.
>
> so one cve needed here? Can you provide a link to the specific code fixes?

Yes: https://review.typo3.org/16305

> > Vulnerability Type: Cross-Site Scripting Solution: Update to the
> > TYPO3 version 4.5.21, 4.6.14 or 4.7.6 that
> fix the problem described!
> > Credits: Credits go to Richard Brain who discovered and reported
> > the
> issue.
>
> so one cve needed here? Can you provide a link to the specific code fixes?

Yes: https://review.typo3.org/16300


Regards,

Helmut Hummel
Member of the TYPO3 Security Team

--
TYPO3 Security Team homepage: http://typo3.org/teams/security/

E-Mail: security () typo3 org

Please note: When replying to this e-mail, please leave the header intact.