oss-sec mailing list archives

Re: CVE request: simplesamlphp / Typo3

From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 23 Dec 2011 17:18:33 -0700

On 12/23/2011 02:58 PM, Moritz Mühlenhoff wrote:

AFAICS all the other Typo3 issues from 2011 have IDs assiged:
TYPO3-CORE-SA-2011-004: CVE-2011-4614
TYPO3-CORE-SA-2011-003: CVE-2011-3584
TYPO3-CORE-SA-2011-002: CVE-2011-3583

Cheers,
        Moritz

Good =) I assumed if no 001, then nothing later, plus they are allreserved (where/how did they get assigned?). Odd. Anyways here at the CVE's:


http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2011-001/

=================================================
Vulnerable subcomponent #1: Frontend
Vulnerability Type: Cross-Site Scripting
Severity: High

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C (What'sthat?)Problem Description: Failing to properly sanitize URL parameters the"JSwindow" property of the typolink function is susceptible toCross-Site Scripting. The problem does not exist if the third partyextension "realurl" is used and it's configuration parameter"doNotRawUrlEncodeParameterNames" is set to FALSE (default).Solution: Update to the TYPO3 versions 4.3.12, 4.4.9 or 4.5.4 that fixthe problem described.

Credits: Credits go to Marco Bresch who discovered and reported the issue.

CVE-2011-4626

=================================================

Vulnerable subcomponent #2: Backend
Vulnerability Type: Information Disclosure
Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C (What'sthat?)Problem Description: For authentication attempts with wrong credentials,TYPO3 sends different HTTP-Headers depending if provided username orprovided password is wrong.Solution: Update to the TYPO3 versions 4.3.12, 4.4.9 or 4.5.4 that fixthe problem described.Credits: Credits go to Sebastian Schinzel who discovered and reportedthe issue.


CVE-2011-4627

=================================================
Vulnerability Type: Authentication Delay Bypass
Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C (What'sthat?)Problem Description: The TYPO3 Backend login has a delay forauthentication attempts with wrong credentials. By using a craftedrequest, an attacker is able to bypass the madantory delay in such cases.Solution: Update to the TYPO3 versions 4.3.12, 4.4.9 or 4.5.4 that fixthe problem described.Credits: Credits go to Sebastian Schinzel who discovered and reportedthe issue.


CVE-2011-4628

=================================================

Vulnerability Type: Cross-Site Scripting
Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:U/RL:OF/RC:C (What'sthat?)Problem Description: Failing to properly sanitize an username the adminpanel is susceptible to Cross-Site Scripting.Solution: Update to the TYPO3 versions 4.3.12, 4.4.9 or 4.5.4 that fixthe problem described.Credits: Credits go to TYPO3 Security Team member Georg Ringer whodiscovered and reported the issue.


CVE-2011-4629

=================================================


Vulnerability Type: Cross-Site Scripting
Severity: Medium

Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:P/A:N/E:U/RL:OF/RC:C (What'sthat?)Problem Description: Failing to properly sanitize a content element'slink attribute the browse_links wizard is susceptible to Cross-SiteScripting. Exploiting requires an attacker to prepare a content elementand trick its victim to open the browse_links wizard for this record.Solution: Update to the TYPO3 versions 4.3.12, 4.4.9 or 4.5.4 that fixthe problem described.Credits: Credits go to TYPO3 Security Team member Georg Ringer whodiscovered and reported the issue.


CVE-2011-4630

=================================================

Vulnerability Type: Cross-Site Scripting
Severity: Medium

Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:P/A:N/E:U/RL:OF/RC:C (What'sthat?)Problem Description: Failing to properly sanitize a page title thesystem extension recycler is susceptible to Cross-Site Scripting.Exploiting requires an attacker to prepare a page and deleted page andtrick its victim to visit the recycler.Solution: Update to the TYPO3 versions 4.3.12, 4.4.9 or 4.5.4 that fixthe problem described.Credits: Credits go to TYPO3 Core Team member Steffen Gebert whodiscovered and reported the issue.


CVE-2011-4631

=================================================
Vulnerability Type: Cross-Site Scripting
Severity: Medium

Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:P/A:N/E:U/RL:OF/RC:C (What'sthat?)Problem Description: Failing to properly sanitize a page title thetcemain flash message is susceptible to Cross-Site Scripting. Exploitingrequires an attacker to prepare a page and trick its victim to copy/movethe prepared page.Solution: Update to the TYPO3 versions 4.3.12, 4.4.9 or 4.5.4 that fixthe problem described.Credits: Credits go to TYPO3 Security Team member Georg Ringer whodiscovered and reported the issue.


CVE-2011-4632

=================================================
Vulnerability Type: Information Disclosure
Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C (What'sthat?)Problem Description: A TYPO3 Backend user (editor) is able to seeworkspace changes of records in any languages - even for those he hasn'tgot granted access to.

Solution: Update to the TYPO3 versions 4.5.4 that fix the problem described.

Credits: Credits go to TYPO3 Workspaces Team member Michael Klappererwho discovered and reported the issue.


CVE-2011-4900

=================================================
Vulnerability Type: Information Disclosure
Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:P/A:N/E:U/RL:OF/RC:C (What'sthat?)Problem Description: Using "getText" feature on headlines of contentelements it is possible to retrieve arbitrary data from TYPO3 database.The vulnerability results from an insecure configuration incss_styled_content system extension.Solution: Update to the TYPO3 versions 4.3.12, 4.4.9 or 4.5.4 that fixthe problem described.Important Note: Having an adjusted fontTag property in the providedTypoScript (e.g. lib.stdheader.10.1.fontTag) or depending on headlinespassed through fontTag might result in unexpected rendering results.Headline rendering is now handled through dataWrap (e.g.lib.stdheader.10.1.dataWrap). Make sure to check your TypoScript beforethe update and check the wesite rendering after it!Credits: Credits go to Mads Chr. Olesen who discovered and reported theissue.


CVE-2011-4901

=================================================
Vulnerability Type: Unserialize() vulnerability
Severity: High

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:C/A:N/E:U/RL:OF/RC:C (What'sthat?)Problem Description: Special user input of BE editors is treated asserialized data and is deserialized by TYPO3. This allows BE editors todelete any arbitrary file the webserver has access to.Solution: Update to the TYPO3 versions 4.3.12, 4.4.9 or 4.5.4 that fixthe problem described.Credits: Credits go to TYPO3 Security Team member Marcus Krause whodiscovered and reported the issue.


CVE-2011-4902

=================================================
Vulnerable subcomponent #3: Exposed API
Vulnerability Type: Cross-Site Scripting
Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C (What'sthat?)Problem Description: The RemoveXSS function fails to sanitize an attackvector that works in Internet Explorer version 6.Solution: Update to the TYPO3 versions 4.3.12, 4.4.9 or 4.5.4 that fixthe problem described.Credits: Credits go to Vladimir Podkovanov who discovered and reportedthe issue.


CVE-2011-4903

=================================================
Vulnerability Type: Missing Access Control
Severity: High

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:U/RL:OF/RC:C (What'sthat?)Problem Description: ExtDirect endpoints are not associated with TYPO3backend modules and such TYPO3 access control is not applied onExtDirect calls. This allows arbitrary BE users to consume any availableExtDirect endpoint service.Solution: Update to the TYPO3 versions 4.4.9 or 4.5.4 that fix theproblem described.Note: From now on ExtDirect components need to be registered throught3lib_extMgm::registerExtDirectComponent() function call.Credits: Credits go to TYPO3 Security Team member Helmut Hummel whodiscovered and reported the issue.


CVE-2011-4904


--

-Kurt Seifried / Red Hat Security Response Team

Current thread:

CVE request: simplesamlphp / Typo3 Moritz Muehlenhoff (Dec 23)
- Re: CVE request: simplesamlphp / Typo3 Kurt Seifried (Dec 23)
  - Re: CVE request: simplesamlphp / Typo3 Moritz Mühlenhoff (Dec 23)
    - Re: CVE request: simplesamlphp / Typo3 Kurt Seifried (Dec 23)