Category Archives: Typo3

Typo3

Cross-Site Scripting in news

Release Date: June 3, 2014

Bulletin update: September 4, 2014 (affected version clarification)

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 2.3.0 and below of 2.x.x branch, version 3.0.0 of 3.x.x branch

Vulnerability Type: Cross-Site Scripting

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:O/RC:C (What’s that?)

Related CVEs: CVE-2011-3642CVE-2013-1464

Problem Description: The extension bundles flash files for video and audio playback. Old versions of FlowPlayer and flashmedia are susceptible to Cross-Site Scripting. No authentication is required to exploit this vulnerability.

Solution: Updated versions 2.3.1 and 3.0.1 are available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/news/2.3.1/ and http://typo3.org/extensions/repository/download/news/3.0.1/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Markus Pieton and Vytautas Paulikas who discovered and reported the issues.

 

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Cross-Site Scripting in gridelements

Release Date: May 27, 2014

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: 2.0.2 and below, 1.5.0 and below

Vulnerability Type: Cross-Site Scripting

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C (What’s that?)

CVE: CVE-2014-3949

Problem Description: Failing to properly sanitize user input, the layout wizard provided by the extension gridelements is susceptible to Cross-Site Scripting. A valid backend user login with permission to access the layout wizard is required for this vulnerability to be exploited.

Solution: Updated versions 2.0.3 and 1.5.1 are available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/gridelements/2.0.3/ and http://typo3.org/extensions/repository/download/gridelements/1.5.1/t3x/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Security Team Member Georg Ringer who discovered and reported the issue.

 

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Multiple Vulnerabilities in TYPO3 CMS

Component Type: TYPO3 CMS

Vulnerability Types: Cross-Site Scripting, Insecure Unserialize, Improper Session Invalidation, Authentication Bypass, Information Disclosure and Host Spoofing

Overall Severity: Medium

Release Date: May 22, 2014

 

Vulnerability Type: Host Spoofing

Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13, 6.1.0 to 6.1.8 and 6.2.0 to 6.2.2

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:O/RC:C (What’s that?)

CVE: CVE-2014-3941

Problem Description: Failing to properly validate the HTTP host-header TYPO3 CMS is susceptible to host spoofing. TYPO3 uses the HTTP host-header to generate absolute URLs in several places like 404 handling, http(s) enforcement, password reset links and many more. Since the host header itself is provided by the client it can be forged to any value, even in a name based virtual hosts environment. A blog post describes this problem in great detail.

Solution: Update to TYPO3 versions 4.5.34, 4.7.19, 6.0.14, 6.1.9 or 6.2.3 and check or update your web server configuration as described below.

Additional Notes: These versions introduce a new configuration option: 

$GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern']

This option can contain either the value “SERVER_NAME” or a regular expression pattern that matches all host names that are considered trustworthy for the particular TYPO3 installation. “SERVER_NAME” is the default value shipped with the above mentioned TYPO3 versions. With this option value in effect, TYPO3 checks the currently submitted host-header against the SERVER_NAME variable. The SERVER_NAME variable contains trusted values in the following cases:

Apache Webserver: Apache is set up to use name based virtual hosts while the TYPO3 installation is part of one virtual host and not the default host. Only values that are part of the ServerName or ServerAlias values in the virtual host configuration are then set as SERVER_NAME.

Nginx Webserver: Nginx is set up with different servers blocks while the TYPO3 installation is not part of the “catch all” server block. By default only the first value of the server_name option is taken into account to populate the SERVER_NAME variable. If you specified more than one server name in your Nginx configuration you have to additionally add the following configuration:
fastcgi_param SERVER_NAME $host;

If TYPO3 is served by Apache from the default host, updating to the current TYPO3 versions is not enough! Apache then sets the SERVER_NAME variable directly to the (untrusted) host-header value. In such a setup you must either set “UseCannonicalName yes” in your Apache configuration, or change the TYPO3 configuration option to a regular expression that matches all trusted host names in your TYPO3 installation.

IMPORTANT: We tried hard to avoid a breaking change with these new versions and at the same time deliver a secure default setup for most users. We may have missed edge cases (like other web servers than the above, or a complex reverse proxy setup) where the default configuration breaks your site after the update. If you have a (server) setup that is considerably different from the scenarios described above, you should test if your TYPO3 installation still works after the update with the provided default configuration.

Credits: Credits go to Security Team Member Helmut Hummel who discovered and reported the issue and to Wouter van Dongen who discovered and reported a particular exploit possibility.

Vulnerable subcomponent: Color Picker Wizard

Vulnerability Type: Insecure Unserialize

Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13 and 6.1.0 to 6.1.8

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:N/I:P/A:P/E:F/RL:O/RC:C (What’s that?)

CVE: CVE-2014-3942

Problem Description: Failing to validate authenticity of a passed serialized string, the color picker wizard is susceptible to insecure unserialize, allowing authenticated editors to unserialize arbitrary PHP objects.

Solution: Update to TYPO3 versions 4.5.34, 4.7.19, 6.0.14 or 6.1.9 that fix the problem described. TYPO3 version 6.2 is not affected by this vulnerability.

Credits: Credits go to Security Team member Helmut Hummel who discovered and reported the issue.

 

Vulnerable subcomponent: Backend

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13, 6.1.0 to 6.1.8 and 6.2.0 to 6.2.2

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C (What’s that?)

CVE: CVE-2014-3943

Problem Description: Failing to properly encode user input, several backend components are susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML or JavaScript by crafting URL parameters.

Solution: Update to TYPO3 versions 4.5.34, 4.7.19, 6.0.14, 6.1.9 or 6.2.3 that fix the problem described.

Credits: Credits go to Security Team members Georg Ringer and Franz Jahn and Marc Bastian Heinrichs who discovered and reported the issues.

 

Vulnerable subcomponent: ExtJS

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13, 6.1.0 to 6.1.8 and 6.2.0 to 6.2.2

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C (What’s that?)

related CVE: CVE-2010-4207, CVE-2012-5881

Problem Description: The ExtJS JavaScript framework that is shipped with TYPO3 also delivers a flash file to show charts. This file is susceptible to Cross-Site Scripting. This vulnerability can be exploited without any authentication.

Solution: Update to TYPO3 versions 4.5.34, 4.7.19, 6.0.14, 6.1.9 or 6.2.3 that fix the problem described or delete the file typo3/contrib/extjs/resources/charts.swf as it is not used by TYPO3 at all.

Credits: Credits go to Ronald Klomp who discovered and reported the issue.

 

Vulnerable subcomponent: Authentication

Vulnerability Type: Improper Session Invalidation

Affected Versions: Versions 6.2.0 to 6.2.2

Severity: Low

Suggested CVSS v2.0: AV:L/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C (What’s that?)

CVE: CVE-2014-3944

Problem Description: Failing to properly invalidate user sessions that have timed out, it is possible to successfully transmit one authenticated request before the session finally is discarded.

Solution: Update to TYPO3 version 6.2.3 that fix the problem described.

Credits: Credits go to Markus Klein who discovered and reported the issue.

 

Vulnerability Type: Authentication Bypass

Affected Versions: All TYPO3 versions not configured to use salted passwords

Severity: medium

Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C (What’s that?)

CVE: CVE-2014-3945

Problem Description: When the use of salted password is disabled (which is enabled by default since TYPO3 4.6 and required since TYPO3 6.2) passwords for backend access are stored as md5 hash in the database. This hash (e.g. taken from a successful SQL injection) can be used directly to authenticate backend users without knowing or reverse engineering the password.

Solution: Update to TYPO3 version 6.2 or higher or configure TYPO3 to make use of salted passwords by installing and configuring the saltepasswords system component.

Note: In TYPO3 version 6.2 it is still possible to disable password salt hashing for frontend users. It should be apparent that such setup is insecure and not recommended.

 

Vulnerable subcomponent: Extbase Framework

Vulnerability Type: Information Disclosure

Affected Versions: Versions 6.2.0 to 6.2.2

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:O/RC:C (What’s that?)

CVE: CVE-2014-3946

Problem Description: Failing to respect user groups of logged in users when caching queries, Extbase is susceptible to information disclosure. The query caching (introduced in Extbase 6.2) used to cache queries that query results for a specific user group were presented to a different group.

Solution: Update to TYPO3 version 6.2.3 that fix the problem described.

Credits: Credits go to Jan Kiesewetter who discovered and reported the issue.

 

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Arbitrary code execution in extension "powermail" (powermail)

Release Date: May 22, 2014

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: powermail: Versions 2.0.13 and below, 1.6.10 and below

Vulnerability Type: Arbitrary Code Execution

Severity: Critical

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:O/RC:C (What’s that?)

CVE: CVE-2014-3947

Problem Description: The extension powermail offers the possibility to upload files. It was discovered that it was possible to upload files with specially crafted file extensions, which could be executed as PHP files on the server when using Apache as web server with mod_mime available (default). Uploading files in powermail is possible without finally submitting the form, so a malicious file could be uploaded without further discovery. Failing to check the uploaded file name against the fileDenyPattern pattern, powermail is susceptible to arbitrary code execution.

Please also read an older bulletin and a blog article for further information about this issue in combination with Apache as web server.

Solution: Updated versions 2.0.14 and 1.6.11 are available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/powermail/2.0.14/t3x/ and http://typo3.org/extensions/repository/download/powermail/1.6.11/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Wouter van Dongen who discovered and reported the issue. 

Affected Versions: powermail: Versions 1.6.10 and below

Vulnerability Type: Cross-Site Scripting

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C (What’s that?)

CVE: CVE-2014-3948

Problem Description: It was discovered that versions 1.6.10 and below are susceptible to Cross-Site SCripting within the HTML export wizard in the backend module.

Solution: An updated version 1.6.11 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/powermail/1.6.11/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Florian Grunow who discovered and reported this issue.

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Captcha Bypass in extension "powermail" (powermail)

Release Date: April 10, 2014

Bulletin update: September 18, 2014 (added CVE)

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: powermail: Version 2.0.0 – 2.0.10

Vulnerability Type: Captcha Bypass

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:O/RC:C (What’s that?)

CVE: CVE-2014-6288

Problem Description: The extension powermail offers the use of a captch validation to secure forms. It was possible to bypass the captcha validation and submit forms.

Important Note: Other field validators weren’t involved so any other validation worked as expected.

Solution: Updated version 2.0.11 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/powermail/2.0.11/t3x/. Users of the extension are advised to update the extension as soon as possible as long as they use captchas in their forms.

Credits: Credits go to Jigal van Hemert who discovered and reported this issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Access Bypass in extensions "Yet Another Gallery" (yag) and "Tools for Extbase development" (pt_extbase)

Release Date: February 12, 2014

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: yag: Version 3.0.0 and below, pt_extbase: Version 1.5.0 and below

Vulnerability Type: Access Bypass

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:C/I:P/A:N/E:F/RL:O/RC:C (What’s that?)

CVE: CVE-2014-6289

Bulletin update: September 18, 2014 (added CVE)

Problem Description: The extension pt_extbase comes with an Ajax dispatcher for Extbase. Using this dispatcher it is possible to call every action in every controller of every Extbase extension installed on the system. The dispatcher failes to do access checks, thus it is possible to bypass access checks for Extbase Backend Modules like the backend user administration module. The extension yag also delivered an Ajax dispatcher, which was unused but vulnerable.

Important Note: The unused Ajax Dispatcher code in extension yag has been removed. If any other installed extensions made use of this dispatcher, it will stop working. Additionally the Ajax dispatcher in pt_extbase was modified to do access checks. Third party extensions using this dispatcher need to be added to the list of allowed actions.

Solution: Updated versions 3.0.1 and 1.5.1 are available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/yag/3.0.1/t3x/ and http://typo3.org/extensions/repository/download/pt_extbase/1.5.1/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Andrea Schmuttermair who discovered and reported this issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Mass Assignment in extension Direct Mail Subscription (direct_mail_subscription)

Release Date: February 12, 2014

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: Version 2.0.0 and below

Vulnerability Type: Mass Assignment

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C (What’s that?)

Problem Description: The extension Direct Mail Subscription bundles a vulnerable version of the old the feuser_adminLib.inc library. This means that any links for creating records generated by this library can be manipulated to fill any field in the configured database table with arbitrary values. An attack is not limited to the fields listed in the configuration or the link itself.

Related CVE: CVE-2013-7075

Solution: An updated version 2.0.1 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/direct_mail_subscription/2.0.1/t3x/. Users of the extension are advised to update the extension as soon as possible.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.