Re: CVE request: TYPO3-CORE-SA-2013-003

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/07/2013 02:14 AM, Henri Salo wrote:
> Could you assign two 2013 CVE identifiers for following issues,
> thanks. We have agreed with Helmut Hummel that I'm requesting TYPO3
> CVEs in the future using private method from: 
> http://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html
>
>  
> http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-003
>
>  Component Type: TYPO3 Core Vulnerability Types: Cross-Site
> Scripting, Remote Code Execution Overall Severity: Critical Release
> Date: September 4, 2013
>
> #1 CVE-2013-XXXX
>
> Vulnerable subcomponent: File handling / File Abstraction Layer 
> Vulnerability Type: Incomplete Access Management Affected Versions:
> All versions from 6.0.0 up to the development branch of 6.2 
> Severity: Medium Suggested CVSS v2.0:
> AV:N/AC:L/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C
>
> Problem Description: TYPO3 comes with the possibility to restrict
> editors to certain file actions (copy, delete, move etc.) and to
> restrict these actions to be performed in certain locations (file
> mounts). This permission handling was only partly implemented with
> the introduction of the File Abstraction Layer (FAL). The file
> action permissions that can be set in backend user and group 
> records were not respected and users could break out of file mounts
> by crafting URLs. Thus, unprivileged users could create or read
> arbitrary files within or outside the document root.
>
> Solution: Update to the TYPO3 version 6.0.9, 6.1.4 or the latest
> development version! It is important to clear all caches (clear
> cache all in the backend or deleting the complete typo3temp/Cache
> directory) for the changes to take effect after the TYPO3 source
> files have been updated!
>
> Notes: Administrators are advised to set file permissions for
> backend users or groups by using user TS Config instead of using
> the file permission check boxes in the user or group records. This
> allows more fine grained control for single file action
> permissions. Examples in the advisory.
>
> Credits: Credits go to Sebastian Nerz who discovered and reported
> the issues, Steffen Ritter and Helmut Hummel for creating the fixes
> and Anja Leichsenring, Susanne Moog, Michiel Roos, Sascha Egerer
> and Ernesto Baschny for testing.

Please use CVE-2013-4320 for this issue.

> #2 CVE-2013-XXXX
>
> Vulnerable subcomponent: File Abstraction Layer Vulnerability Type:
> Remote Code Execution Affected Versions: All versions from 6.0.0 up
> to the development branch of 6.2 Severity: Critical Suggested CVSS
> v2.0: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:O/RC:C
>
> Problem Description: The check for denied file extensions
> implemented in the File Abstraction Layer as mentioned in advisory
> TYPO3-CORE-SA-2013-002 was incomplete. It was still possible for
> editors to rename files to have denied file extensions by inserting
> special characters that were removed at a later point. This (again)
> allowed authenticated editors to forge php files with arbitrary
> code, which can then be executed in web server's context.
>
> Solution: Update to the TYPO3 version 6.0.9, 6.1.4 or the latest
> development version!

Please use CVE-2013-4321 for this issue.

> Credits: Credits go to Sascha Egerer who discovered and reported
> the issue.
>
> --- Henri Salo


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSLimyAAoJEBYNRVNeJnmT/AYP/0nbRLS5HmLSdkGF1MIm147A
FbCKgzUyZd2/UOOE8n+upjTyz+BVHvi4pK6eDpuIWquyTZE1U/jw1+tlTHvuo4iR
gHhSmDBZf85pHYOwQoT0f8FTwk5+g0Sf2glgXGMBx33rwV264371jfN61G0uXEJg
YR/U6HfEJl+kQZ+HbRu9bab9KkJN4mzGJZ1TRbWLZ3IYKlttF1NVS+fOFAuAGcNa
mRdKcxhTarkDCRodped3R1KNy5r6C1Gv6WqPnkDVjjhOipPCmgEdwbEVR/rpO+Lf
4jzUbdoko08hm9TizTCZIImveIzPlmYQ7L46xjMDEa6TfHXwMXDRKKkAWI01oH8T
0qzE1cI0C1oN7oKGrrrY7edtvzL8Hvovj+4Xo7jHBwdBRKrAmqn8AUwGyuylPQBW
BCaH/sBuHcy5gaWDu2dmaIYE/fr50VIcM+5HnuWHmmAJo0A0zy7iiW4ivAOMMqhu
v+F3MmtQQANliVGnFLkUVluqsbRF7dc54m9IJY1WdZoZMdEzhRNWdQlrwtRx0KuD
VlybnyOJUp2OGS6sHBR6nLYucq6NT39Q118dUKPTp7ktVkhYy9Y+SniexWkIMQCE
fBIsiC9mf9lMZO+JzLt3x1PltxEywi2fmB8RQ/Yj+3qY6nUZCbDE3GU8U3obLxdl
X80mC3JFdtDFZFK94mCh
=oPhI
-----END PGP SIGNATURE-----