Re: CVE request: TYPO3-EXT-SA-2014-014 and TYPO3-EXT-SA-2014-015

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2014-014/
>
> It has been discovered that the extension "fal_sftp" (fal_sftp) is
> susceptible to Improper Access Control.
>
> AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C
>
> Configured permissions of newly created files and folders for the sFTP
> driver are set incorrectly.

Use CVE-2014-8327.


> http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2014-015/
>
> It has been discovered that the extension "Dynamic Content Elements"
> (dce) is susceptible to Information Disclosure.
>
> AV:N/AC:L/Au:S/C:P/I:N/A:N/E:H/RL:OF/RC:C
>
> The extension provides a functionality to check for extension updates.
> Along with this functionality, installation environment data is
> automatically reported to the infrastructure of the extension author
> without user interaction.

Use CVE-2014-8328.

This is within the scope of CVE because TYPO3 has published a Security
Bulletin indicating that it's a vulnerability from their perspective.
The Credits section says "Credits go to Georg Ringer who discovered
and reported the issue and Armin Vieweg who quickly responded &
resolved this issue," where Armin Vieweg is apparently the author of
the extension:

  http://typo3.org/extensions/repository/view/dce

  Last upload comment: Changed new option disableUpdateCheck to
  enableUpdateCheck and disables it by default.

  Author: Armin Ruediger Vieweg

This might imply a security policy of "'installation environment data
is ... reported to the infrastructure of the extension author' was
intentional behavior, and can remain the intentional behavior of an
apparently useful update feature; however, it must not be the
default."

Documentation/PrivacyPolicy/Index.rst has:

  The backend module of DCE may contain an image which is located on my
  server. It shows the user if there is a new DCE version available.

  It passes:

  - the TYPO3 version
  - the DCE version
  - and the backend language

  Based on these informations I'm able to say: "Yes, a new version is
  available, but not for your TYPO3 version.". These values are passed
  completely anonymously and help me to improve the extension.

  Because I have the data I am also able to get statistics. Like: Which
  TYPO3 version is used most often? I'm going to publish some
  interesting graphs based on these data on the `Facebook page`_ of DCE
  extension.

with Resources/Private/Templates/DceModule/Index.html rendering the
following in the (currently) non-default configuration:

  <a href="http://dce.v.ieweg.de/versioncheck/update"; target="_blank">
  <img src="http://dce.v.ieweg.de/versioncheck?t3=
  {dce:be.currentTypo3Version()}&amp;dce={dce:be.currentDceVersion()}&amp;l={dce:be.currentLanguage()}"
  alt="" /></a>

As always, a vendor is allowed to announce this type of previously
default intentional behavior as a vulnerability; it's just somewhat
unusual to do so.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUQq3bAAoJEKllVAevmvmsqz0H/AitsWMA1w0jmrQDVw3kGeoQ
8uzdDN2Bu7Qi3KQEGvyQGb8H+X42hdeJoWkdyBdDPVVwWMjJDOnuk0+TkaTphQwp
pSrl8H38FkfH725aVy7Mv/TPjv5FzvmXVpTAJiUFe+uf1tJyWyDmmIqgJ6TMF2+f
5NfUnY7VS9lk1f+3zFnTXlQH/j7Oa8ktqYKmAlRcyt5M1cF6dQA0smPxwvMjjAtD
iMfwBvG1DnM+EdpVXtQnua1vTtZoDOfMlp3ztwMu896dhC8iDva3Dsq488JxtXXt
jbyJvk2S0OQhv5uyppYB4rf+JW9DddmeWp5USduNmiPojilj/B4oiyCp6u4jr+g=
=qsCz
-----END PGP SIGNATURE-----