oss-sec mailing list archives
Re: CVE request: TYPO3-CORE-SA-2013-003
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 09 Sep 2013 14:04:02 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/07/2013 02:14 AM, Henri Salo wrote:
Could you assign two 2013 CVE identifiers for following issues, thanks. We have agreed with Helmut Hummel that I'm requesting TYPO3 CVEs in the future using private method from: http://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-003 Component Type: TYPO3 Core Vulnerability Types: Cross-Site Scripting, Remote Code Execution Overall Severity: Critical Release Date: September 4, 2013 #1 CVE-2013-XXXX Vulnerable subcomponent: File handling / File Abstraction Layer Vulnerability Type: Incomplete Access Management Affected Versions: All versions from 6.0.0 up to the development branch of 6.2 Severity: Medium Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C Problem Description: TYPO3 comes with the possibility to restrict editors to certain file actions (copy, delete, move etc.) and to restrict these actions to be performed in certain locations (file mounts). This permission handling was only partly implemented with the introduction of the File Abstraction Layer (FAL). The file action permissions that can be set in backend user and group records were not respected and users could break out of file mounts by crafting URLs. Thus, unprivileged users could create or read arbitrary files within or outside the document root. Solution: Update to the TYPO3 version 6.0.9, 6.1.4 or the latest development version! It is important to clear all caches (clear cache all in the backend or deleting the complete typo3temp/Cache directory) for the changes to take effect after the TYPO3 source files have been updated! Notes: Administrators are advised to set file permissions for backend users or groups by using user TS Config instead of using the file permission check boxes in the user or group records. This allows more fine grained control for single file action permissions. Examples in the advisory. Credits: Credits go to Sebastian Nerz who discovered and reported the issues, Steffen Ritter and Helmut Hummel for creating the fixes and Anja Leichsenring, Susanne Moog, Michiel Roos, Sascha Egerer and Ernesto Baschny for testing.
Please use CVE-2013-4320 for this issue.
#2 CVE-2013-XXXX Vulnerable subcomponent: File Abstraction Layer Vulnerability Type: Remote Code Execution Affected Versions: All versions from 6.0.0 up to the development branch of 6.2 Severity: Critical Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:O/RC:C Problem Description: The check for denied file extensions implemented in the File Abstraction Layer as mentioned in advisory TYPO3-CORE-SA-2013-002 was incomplete. It was still possible for editors to rename files to have denied file extensions by inserting special characters that were removed at a later point. This (again) allowed authenticated editors to forge php files with arbitrary code, which can then be executed in web server's context. Solution: Update to the TYPO3 version 6.0.9, 6.1.4 or the latest development version!
Please use CVE-2013-4321 for this issue.
Credits: Credits go to Sascha Egerer who discovered and reported the issue. --- Henri Salo
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBAgAGBQJSLimyAAoJEBYNRVNeJnmT/AYP/0nbRLS5HmLSdkGF1MIm147A FbCKgzUyZd2/UOOE8n+upjTyz+BVHvi4pK6eDpuIWquyTZE1U/jw1+tlTHvuo4iR gHhSmDBZf85pHYOwQoT0f8FTwk5+g0Sf2glgXGMBx33rwV264371jfN61G0uXEJg YR/U6HfEJl+kQZ+HbRu9bab9KkJN4mzGJZ1TRbWLZ3IYKlttF1NVS+fOFAuAGcNa mRdKcxhTarkDCRodped3R1KNy5r6C1Gv6WqPnkDVjjhOipPCmgEdwbEVR/rpO+Lf 4jzUbdoko08hm9TizTCZIImveIzPlmYQ7L46xjMDEa6TfHXwMXDRKKkAWI01oH8T 0qzE1cI0C1oN7oKGrrrY7edtvzL8Hvovj+4Xo7jHBwdBRKrAmqn8AUwGyuylPQBW BCaH/sBuHcy5gaWDu2dmaIYE/fr50VIcM+5HnuWHmmAJo0A0zy7iiW4ivAOMMqhu v+F3MmtQQANliVGnFLkUVluqsbRF7dc54m9IJY1WdZoZMdEzhRNWdQlrwtRx0KuD VlybnyOJUp2OGS6sHBR6nLYucq6NT39Q118dUKPTp7ktVkhYy9Y+SniexWkIMQCE fBIsiC9mf9lMZO+JzLt3x1PltxEywi2fmB8RQ/Yj+3qY6nUZCbDE3GU8U3obLxdl X80mC3JFdtDFZFK94mCh =oPhI -----END PGP SIGNATURE-----
Current thread:
- CVE request: TYPO3-CORE-SA-2013-003 Henri Salo (Sep 07)
- Re: CVE request: TYPO3-CORE-SA-2013-003 Kurt Seifried (Sep 09)