oss-sec mailing list archives
CVE request: TYPO3-CORE-SA-2013-004 and TYPO3-FLOW-SA-2013-001
From: Henri Salo <henri () nerv fi>
Date: Wed, 11 Dec 2013 13:56:02 +0200
Can we assign 10 CVEs for following TYPO3 issues, thank you. Project's security team is aware of this request. Upgrade is recommended. Reference for issues 1-9: http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-004/ Reference for issue 10: http://typo3.org/teams/security/security-bulletins/typo3-flow/typo3-flow-sa-2013-001/ Vulnerable subcomponent: Content Editing Wizards 1) Vulnerability Type: Information Disclosure Affected Versions: Versions 4.5.0 to 4.5.31, 4.7.0 to 4.7.16, 6.0.0 to 6.0.11, 6.1.0 to 6.1.6 and the development branch of 6.2 Severity: Medium Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:N/A:N/E:F/RL:O/RC:C Problem Description: Failing to check for user permissions, it is possible for authenticated editors to read (but not update or change) content from arbitrary TYPO3 table columns by forging URL parameters. Solution: Update to the TYPO3 version 4.5.32, 4.7.17, 6.0.12 or 6.1.7 that fix the problem described. Credits: Credits go to Security Team member Georg Ringer who discovered and reported the issue. 2) Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 4.5.0 to 4.5.31, 4.7.0 to 4.7.16, 6.0.0 to 6.0.11, 6.1.0 to 6.1.6 and the development branch of 6.2 Severity: Low Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C Problem Description: Failing to properly encode user input, several content wizards are susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML or JavaScript by crafting URL parameters. Solution: Update to the TYPO3 version 4.5.32, 4.7.17, 6.0.12 or 6.1.7 that fix the problem described. Credits: Credits go to Richard Brain and Security Team member Georg Ringer who discovered and reported the issues. 3) Vulnerability Type: Insecure Unserialize Affected Versions: Versions from 4.5.0 to 4.5.31, 4.7.0 to 4.7.16, 6.0.0 to 6.0.11, 6.1.0 to 6.1.6 and the development branch of 6.2 Severity: Medium Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:N/I:P/A:P/E:F/RL:O/RC:C Problem Description: Due to a missing signature for an input parameter an attacker could unserialize arbitrary objects within TYPO3. We are aware of a working exploit which can be used to delete arbitrary files which are writable for the PHP server process. A valid backend user login or a successful Cross-Site Request Forgery attack are required to exploit this vulnerability. Solution: Update to the TYPO3 version 4.5.32, 4.7.17, 6.0.12 or 6.1.7 that fix the problem described. Credits: Credits go to Rupert Germann who discovered and reported the issue. Vulnerable subcomponent: Extension Manager 4) Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 4.5.0 to 4.5.31 and 4.7.0 to 4.7.16 Severity: Low Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C Problem Description: Failing to properly encode user input, the extension manager is susceptible to Cross-Site Scripting. To exploit this vulnerability, attackers could trick authenticated administrators to follow a forged URL which executes injected JavaScript on behalf of the administrator. Solution: Update to the TYPO3 version 4.5.32 or 4.7.17 that fix the problem described. Credits: Credits go to Steffen Müller who discovered and reported the issue. Vulnerable subcomponent: Backend User Administration 5) Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 6.0.0 to 6.0.11, 6.1.0 to 6.1.6 and the development branch of 6.2 Severity: Low Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C Problem Description: Failing to properly encode user input, the Backend User Administration Module is susceptible to Cross-Site Scripting. To exploit this vulnerability, attackers could trick authenticated administrators to follow a forged URL which executes injected JavaScript on behalf of the administrator. Solution: Update to the TYPO3 version 6.0.12 or 6.1.7 that fix the problem described. Credits: Credits go to Sebastian Nerz and Security Team member Georg Ringer who discovered and reported the issues. Vulnerable subcomponent: Extbase 6) Vulnerability Type: Cross-Site Scripting Affected Versions: Versions from 4.5.0 to 4.5.31, 4.7.0 to 4.7.16, 6.0.0 to 6.0.11, 6.1.0 to 6.1.6 and the development branch of 6.2 Severity: Medium Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:H/RL:O/RC:C Problem Description: The errorAction method in the ActionController base class of Extbase returns error messages without properly encoding them. Because these error messages can contain user input, this could lead to a Cross-Site Scripting vulnerability in Extbase Framework driven TYPO3 extensions. For this vulnerability to exploited the following conditions must be fulfilled: - An Extbase extension must be installed and be available as plugin or module. - The plugin or module must have the Rewritten Property Mapper enabled. - The errorAction has not been overridden in the controller subclass in a way that removes error messages from the return values. Although we are not aware of any possibility to exploit this issue with the old property mapper or the Extbase version that has been delivered with TYPO3 4.5.x, we removed potentially offending output from these versions as well. Hint: If you have customized the errorAction in your Extbase extension which have controller classes that override the error action,we advice you to check that the error messages returned in these actions only contain static strings and are not derived from any kind of user input. If you are not sure whether your code is fine in that regard, feel free to ask on a public mailing list or the forum. Important: We have received reports that this issue has been actively exploited in the wild. Solution: Update to the TYPO3 version 4.5.32, 4.7.17, 6.0.12 or 6.1.7 that fix the problem described. Note: The same problem applies to the TYPO3 Flow Framework.The according advisory is: TYPO3-FLOW-SA-2013-001 Credits: Credits go to André Koch who discovered and reported the issue. Vulnerable subcomponent: OpenID Extension 7) Vulnerability Type: Open Redirection Affected Versions: Versions from 4.5.0 to 4.5.31, 4.7.0 to 4.7.16, 6.0.0 to 6.0.11, 6.1.0 to 6.1.6 and the development branch of 6.2 Severity: Low Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:O/RC:C Problem Description: Failing to validate user-provided input, the openid extension allows redirects to arbitrary URLs. For this vulnerability to exist, the openid extension must be installed. Solution: Update to the TYPO3 version 4.5.32, 4.7.17, 6.0.12 or 6.1.7 that fix the problem described. Credits: Credits go to Security Team member Georg Ringer who discovered and reported the issue. Vulnerable subcomponent: Extension table administration library 8) Vulnerability Type: Mass Assignment Affected Versions: Versions from 4.5.0 to 4.5.31, 4.7.0 to 4.7.16 and 6.0.0 to 6.0.11 Severity: Medium Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C Problem Description: Extensions that make use of the feuser_adminLib.inc library to create records are susceptible to Mass Assignment. This means that any links for creating records generated by this library can be manipulated to fill any field in the configured database table with arbitrary values. An attack is not limited to the fields listed in the configuration or the link itself. This library has been deprecated and removed from TYPO3 versions 6.1 and later but we still decided to fix this issue in previous versions. Hint: Extension authors are highly encouraged not to use this deprecated library anymore. Solution: Update to the TYPO3 version 4.5.32, 4.7.17 or 6.0.12 that fix the problem described. Credits: Credits go to Bernhard Kraft who discovered and reported the issue. Vulnerable subcomponent: (Old) Form Content Element 9) Vulnerability Type: Information Disclosure potentially leading to Privilege Escalation Affected Versions: Versions from 4.5.0 to 4.5.31, 4.7.0 to 4.7.16, 6.0.0 to 6.0.11, 6.1.0 to 6.1.6 and the development branch of 6.2 Severity: Low Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:N/A:N/E:F/RL:O/RC:C Problem Description: Editors that have access to the (old) form content element were able to generate arbitrary signatures (HMACs) that could be used in contexts which the editor should not have access to. As a precaution we changed the generation of the signature in a way to prevent usage in a different context. Note: The old form content element is used by TYPO3 if the delivered extension "form" is not active. Solution: Update to the TYPO3 version 4.5.32, 4.7.17, 6.0.12 or 6.1.7 that fix the problem described. Credits: Credits go to Security Team member Franz Jahn who discovered and reported the issue. 10) ID: TYPO3-FLOW-SA-2013-001 Component Type: TYPO3 Flow Affected Versions: 1.1.0, 2.0.0 and current development branch. Release Date: December 10, 2013 Vulnerability Type: Cross-Site Scripting Severity: Medium Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:H/RL:O/RC:C Problem Description: The errorAction method in the ActionController base class of Flow returns error messages without properly encoding them. Because these error messages can contain user input, this could lead to a Cross-Site Scripting vulnerability in Flow driven applications. Hint: If you have customized the error action in your Flow application, we advice you to check that the error messages returned in these actions only contain static strings and are not derived from any kind of user input. If you are not sure whether your code is fine in that regard, feel free to ask on a public mailing list or the forum. Solution: Update to Flow Versions 1.1.1 or 2.0.1 which fix the problem described! Note: The same problem applies to the Extbase Framework in TYPO3. Read the according advisory TYPO3-CORE-SA-2013-004 for more information. Same issue like in "Vulnerable subcomponent: Extbase", because Extbase (part of TYPO3 CMS) is a backport of TYPO3 Flow. So oth products are affected by the same bug. In my opinion this requires own CVE as there is different codebase. --- Henri Salo
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVE request: TYPO3-CORE-SA-2013-004 and TYPO3-FLOW-SA-2013-001 Henri Salo (Dec 11)
- Re: CVE request: TYPO3-CORE-SA-2013-004 and TYPO3-FLOW-SA-2013-001 cve-assign (Dec 11)