Category Archives: Typo3

Typo3

SQL Injection in extension "Shibboleth Authentication" (shibboleth_auth)

Release Date: November 14, 2016

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 2.6.3 and below

Vulnerability Type: SQL Injection

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:F/RL:O/RC:C (What’s that?)

Problem Description: The extension fails to properly sanitize user input and is vulnerable to SQL Injection.

Solution: An updated version 2.6.4 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/shibboleth_auth/2.6.4/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Ingo Schmitt who discovered and reported the vulnerability.

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Insecure Unserialize and SQL Injection in extension "Code Highlighter" (mh_code_highlighter)

Release Date: November 14, 2016

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 1.2.10 and below

Vulnerability Type: Insecure Unserialize, SQL Injection

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:P/E:F/RL:O/RC:C (What’s that?)

Problem Description: The extension unserializes strings from untrusted external source. Furthermore it fails to properly sanitize incoming data and is vulnerable to SQL Injection. For both vulnerabilities a backend user with access to the extension module is needed.

Solution: An updated version 1.2.11 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/mh_code_highlighter/1.2.11/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Marc Hörsken who discovered and reported the vulnerability.

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Cross-Site Scripting in extension "Store Locator" (locator)

Release Date: November 14, 2016

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 3.3.6 and below

Vulnerability Type: Cross-Site Scripting

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:F/RL:O/RC:C (What’s that?)

Problem Description: The extension fails to properly sanitize user input.

Solution: An updated version 3.3.7 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/locator/3.3.7/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Wolfgang Klinger who discovered and reported the vulnerability.

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Cross-Site Scripting in extension "HTML5 Video Player" (html5videoplayer)

Release Date: November 11, 2016

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 6.7.0 and below

Vulnerability Type: Cross-Site Scripting

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C (What’s that?)

Problem Description: The extension is vulnerable to Cross-Site Scripting as authorized editors can insert data commands by using the url schemes “data:” or “javascript:”.

Solution: An updated version 6.7.1 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/html5videoplayer/6.7.1/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Stephan Großberndt who discovered and reported the vulnerability.

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Multiple vulnerabilities in extension "TC Directmail " (tcdirectmail)

Release Date: November 11, 2016

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 3.1.1 and below

Vulnerability Type: Cross Site-Scripting, SQL Injection

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:P/E:F/RL:O/RC:C (What’s that?)

Problem Description: Failing to properly escape user input, the extension is susceptible to SQL Injection and Cross-Site Scripting. The vulnerabilities are exploitable only by users having access to the backend module and if at least one newsletter with the enabled option “Register clicked links” exists.

Solution: An updated version 3.1.2 is available from the TYPO3 extension manager and at https://typo3.org/extensions/repository/download/tcdirectmail/3.1.2/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Torben Hansen who discovered and reported the vulnerability.

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

SQL Injection in extension "Events" (jp_events)

Release Date: September 29, 2016

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 0.0.2 and below

Vulnerability Type: SQL Injection

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:O/RC:C (What’s that?)

Problem Description: The extension fails to properly sanitize user input and is vulnerable to SQL Injection.

Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension is no longer maintained and the author will not provide a security fix for the reported vulnerability. Please uninstall and delete the extension from your installation.

Credits: Credits go to Ingo Schmitt who discovered and reported the vulnerability.

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

SQL Injection in extension "GN Tactics Planner" (sf_gntactics)

Release Date: September 29, 2016

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 0.2.8 and below

Vulnerability Type: SQL Injection

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:O/RC:C (What’s that?)

Problem Description: The extension fails to properly sanitize user input and is vulnerable to SQL Injection.

Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension is no longer maintained and the author will not provide a security fix for the reported vulnerability. Please uninstall and delete the extension from your installation.

Credits: Credits go to Ingo Schmitt who discovered and reported the vulnerability.

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Cache Flooding in TYPO3 Frontend

Component Type: TYPO3 CMS

Release Date: September 13, 2016

 

Vulnerability Type: Cache Flooding

Affected Versions: 6.2.0 to 6.2.26, 7.6.0 to 7.6.10 and 8.0.0 to 8.3.0

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:O/RC:C

CVE: not assigned yet

Problem Description: Links with a valid cHash argument lead to newly generated page cache entries. Because the cHash is not bound to a specific page, attackers could use valid cHash arguments for multiple pages, leading to additional useless page cache entries. Depending on the number of pages in the system and the number of available valid links with a cHash, attackers could add a considerable amount of additional cache entries, which in the end exceed storage limits and thus could lead to the system not responding any more. This means the Cache Flooding attack potentially could lead to a successful Denial of Service (DoS) attack.

Solution: Update to TYPO3 versions 6.2.27, 7.6.11 or 8.3.1 AND set the following configuration value to true.

$GLOBALS['TYPO3_CONF_VARS']['FE']['cHashIncludePageId'] = true;

Important Note: Just updating to new TYPO3 versions is NOT enough to fix this vulnerability in existing installations. The configuration option needs to explicitly be set as well. Setting this option to true, will invalidate EVERY existing URLs which include a cHash. This means if such URLs are indexed by a search engine, visitors from this search engine will end up on a not properly working page. If extensions like realurl are used, it is required to flush their caches (and TYPO3 caches as well), so that the new cHash is stored, once the pages are requested.

Additionally, calling the CacheHashCalculator API will require the id argument to be set in the URL provided. This means, that switching this option on, may break existing extensions, that are using this API.

Because of this major impact on existing installations, please carefully consider when to activate this additional security option for your TYPO3 installation.

For new installations, this option is ON by default.

Credits: Thanks to Dmitry Dulepov who discovered and reported the issue.

 

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Arbitrary Code Execution in extension "Frontend User Registration" (sf_register)

Release Date: September 12, 2016

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 6.2.8 and below

Vulnerability Type: Arbitrary Code Execution

Severity: High

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:O/RC:C (What’s that?)

Problem Description: The extension provides the possibility to upload a profile image. The uploaded file is stored in a known directory without proper file type check. An attacker could upload PHP files, guess the name of the created file and therefore execute arbitrary code.

Solution: An updated version 6.2.9 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/sf_register/6.2.9/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Thanks to Falk Huber who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Denial of Service in extension "Speaking URLs for TYPO3" (realurl)

Release Date: September 8, 2016

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 2.0.0 to 2.0.14

Vulnerability Type: Denial of Service

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:O/RC:C (What’s that?)

Problem Description: The extension allows an attacker to forge URLs with arbitrary cHash values by regenerating the cHash GET argument. This results in the possibility to create an arbitrary amount of page cache entries. Exceeding database storage limits will eventually lead to the TYPO3 page not responding any more.

Solution: An updated version 2.0.15 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/realurl/2.0.15/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Thanks to Robert Vock and Timo Pfeffer who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.