oss-sec mailing list archives

CVE request: TYPO3-CORE-SA-2012-005

From: Florian Weimer <fw () deneb enyo de>
Date: Sat, 10 Nov 2012 21:14:03 +0100

<http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-005/>
identifies the following vulnerabilities:

| Vulnerable subcomponent: TYPO3 Backend History Module
| Vulnerability Type: SQL Injection, Cross-Site Scripting
 
| Problem Description: Due to missing encoding of user input, the
| history module is susceptible to SQL Injection and Cross-Site
| Scripting. A valid backend login is required to exploit this
| vulnerability.
| 
| Solution: Update to the TYPO3 version 4.5.21, 4.6.14 or 4.7.6 that fix
| the problem described!
|
| Credits: Credits go to Thomas Worm who discovered and reported the
| issue.

(Probably needs two CVEs, one for SQL injection, one for cross-site
scripting.)

| Vulnerable subcomponent: TYPO3 Backend History Module
| Vulnerability Type: Information Disclosure

| Problem Description: Due to a missing access check, regular editors
| could see the history view of arbitrary records, only by forging a
| proper URL for the History Module. A valid backend login is required
| to exploit this vulnerability.
|
| Solution: Update to the TYPO3 version 4.5.21, 4.6.14 or 4.7.6 that
| fix the problem described!
|
| Credits: Credits go to Core Team Member Oliver Hader who discovered
| and fixed the issue.

And:

| Vulnerable subcomponent: TYPO3 Backend API
| Vulnerability Type: Cross-Site Scripting

| Problem Description: Failing to properly HTML-encode user input the
| tree render API (TCA-Tree) is susceptible to Cross-Site
| Scripting. TYPO3 Versions below 6.0 does not make us of this API,
| thus is not exploitable, if no third party extension is installed
| which uses this API. A valid backend login is required to exploit
| this vulnerability.
|
| Solution: Update to the TYPO3 version 4.5.21, 4.6.14 or 4.7.6 that
| fix the problem described!
|
| Credits: Credits go to Johannes Feustel who discovered and reported
| the issue.

(The version range appears to be different from the cross-site
scripting above.)

| Vulnerable subcomponent: TYPO3 Backend API
| Vulnerability Type: Cross-Site Scripting

| Problem Description: Failing to properly encode user input, the
| function menu API is susceptible to Cross-Site Scripting. A valid
| backend login is required to exploit this vulnerability.
|
| Solution: Update to the TYPO3 version 4.5.21, 4.6.14 or 4.7.6 that
| fix the problem described!
|
| Credits: Credits go to Richard Brain who discovered and reported the
| issue.

(This can perhaps be merged with the first cross-site scripting CVE.)

Current thread:

CVE request: TYPO3-CORE-SA-2012-005 Florian Weimer (Nov 10)
- Re: CVE request: TYPO3-CORE-SA-2012-005 Kurt Seifried (Nov 10)