Release Date: January 9, 2015

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: 2.0.3 and all versions below

Vulnerability Type: Cross-Site Scripting, SQL Injection

Severity: High

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:U/RC:C

Problem Description: The extension fails to properly escape user input in HTML and SQL context.

Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author failed in providing a security fix for the reported vulnerability in a decent amount of time. Please uninstall and delete the extension folder from your installation.

Credits: Credits go to Steffen Müller who discovered and reported the vulnerabilities.

 

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Release Date: January 9, 2015

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: 1.0.3 and all versions below

Vulnerability Type: Cross-Site Scripting, SQL Injection

Severity: High

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:U/RC:C

Problem Description: The extension fails to properly escape user input in HTML and SQL context.

Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author failed in providing a security fix for the reported vulnerability in a decent amount of time. Please uninstall and delete the extension folder from your installation.

Credits: Credits go to Steffen Müller who discovered and reported the vulnerabilities.

 

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Release Date: January 8, 2015

Updated: January 8, 2015 (Affected Versions, Severity)

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: 2.0.0

Vulnerability Type: Improper Authentication

Severity: Critical

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C

Problem Description: The extension insufficiently authenticates an user against LDAP/AD.

Solution: Updated version 2.0.1 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/ig_ldap_sso_auth/2.0.1/t3x/.

Credits: Credits go to Stefan Kaifer who discovered the vulnerability.

 

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Release Date: December 15, 2014

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: 1.0.3 and all versions below

Vulnerability Type: Cross-Site Scripting

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C

Problem Description: The extension fails to properly escape user input in HTML context.

Solution: Updated version 1.0.4 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/wf_gallery/1.0.4/t3x/.

Credits: Credits go to Alexander Kellner who discovered and reported the vulnerability.

 

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Release Date: December 15, 2014

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: 0.2.3 and all versions below

Vulnerability Type: Cross-Site Scripting, SQL Injection

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C

Problem Description: The extension fails to properly escape user input in HTML and SQL context.

Solution: Updated version 0.2.5 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/si_bibtex/0.2.5/t3x/.

Credits: Credits go to Bernhard Schildendorfer who discovered and reported the vulnerabilities.

 

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Release Date: December 15, 2014

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: 3.1.1 and all versions below

Vulnerability Type: Cross-Site Scripting, Cross-Site Request Forgery, Improper Access Control

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:POC/RL:OF/RC:C

Problem Description: Crafted filenames can trigger XSS. The extension has no CSRF-prtection in place to prevent forged requests. The extension fails to restrict resource-access to only those resources the backend user has been granted access to.

Solution: Updated version 3.1.2 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/ameos_dragndropupload/3.1.2/t3x/.

 

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: TYPO3 CMS

Vulnerability Types: Link Spoofing, Cache Poisoning

Overall Severity: Medium

Release Date: December 10, 2014

 

Vulnerable subcomponent: Frontend Rendering

Vulnerability Type: Link Spoofing

Affected Versions: Versions 4.5.0 to 4.5.38, 4.6.0 to 4.6.18, 4.7.0 to 4.7.20, 6.0.0 to 6.0.14, 6.1.0 to 6.1.12 and 6.2.0 to 6.2.8, 7.0.0 to 7.0.1

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C

CVE: not assigned yet

Problem Description: An attacker could forge a request, which modifies anchor only links on the homepage of a TYPO3 installation in a way that they point to arbitrary domains, if the configuration option config.prefixLocalAnchors is used with any possible value. TYPO3 versions 4.6.x and higher are only affected if the homepage is not a shortcut to a different page. AS an additional pre-condition URL rewriting must be enabled in the web server, which typically is, when using extensions like realurl or cooluri.

Installation where config.absRefPrefix is additionally set to any value are not affected by this vulnerability.

Example of affected configuration:

TypoScript:

config.absRefPrefix =
config.prefixLocalAnchors = all 
page = PAGE 
page.10 = TEXT 
page.10.value = <a href="#skiplinks">Skiplinks</a> 

.htaccess:

RewriteCond %{REQUEST_FILENAME} !-f 
RewriteCond %{REQUEST_FILENAME} !-d 
RewriteCond %{REQUEST_FILENAME} !-l 
RewriteRule .* index.php [L] 

 

Solution: Set config.absRefPrefix to a value fitting your installation

or

Solution: Update to TYPO3 versions 4.5.39, 6.2.9 or 7.0.2 that fix the problem described.

Important Note: Since the changes provided with the TYPO3 update change the way the prefix for local anchors is generated, there might be cases where the update breaks functionality. The impact of the breakage is that the page is reloaded in the browser when a user follows a link where previously the browser only jumped to a certain section of the current page.

Credits: Thanks to Gernot Leitgab who discovered and reported the vulnerability.

 

Vulnerability Type: Cache Poisoning

Affected Versions: Versions 4.5.0 to 4.5.38, 4.6.0 to 4.6.18, 4.7.0 to 4.7.20, 6.0.0 to 6.0.14, 6.1.0 to 6.1.12 and 6.2.0 to 6.2.8, 7.0.0 to 7.0.1

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C

CVE: not assigned yet

Problem Description: A request URL with arbitrary arguments, but still pointing to the home page of  a TYPO3 installation can be cached if the configuration option config.prefixLocalAnchors is used with the values “all” or “cached”. The impact of this vulnerability is that unfamiliar looking links to the home page can end up in the cache, which leads to a reload of the page in the browser when section links are followed by web page visitors, instead of just directly jumping to the requested section of the page. TYPO3 versions 4.6.x and higher are only affected if the homepage is not a shortcut to a different page.

Solution: Removing the configuration options config.prefixLocalAnchors (and optionally also config.baseUrl) in favor of config.absRefPrefix

Credits: Thanks to Gernot Leitgab who discovered and reported the vulnerability.

 

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Release Date: December 8, 2014

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: 4.18.x (prior to 4.18.5)

Vulnerability Type: Cross-Site Scripting, Denial of Service, Local File Inclusion

Severity: High

Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:C/I:C/A:P/E:ND/RL:O/RC:C

References: PMASA-2014-13 (XSS), PMASA-2014-14 (LFI), PMASA-2014-17 (DoS),

Related CVE: CVE-2014-8958 (XSS), CVE-2014-8959 (LFI), CVE-2014-9218 (DoS)

Problem Description: By not validating user input, phpMyAdmin is susceptible to Cross-Site Scripting and Local File Inclusion. Due to insufficient handling of long passwords during authentication, phpMyAdmin is susceptible to Denial Of Service.

Solution: An updated version 4.18.5 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/phpmyadmin/4.18.5/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: The vendor of the phpMyAdmin upstream software credits Johannes Dahse, Javier Nieto and Andres Rojas. Thanks to Andreas Beutel for providing a TYPO3 extension package with an updated phpMyAdmin version.

 

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Release Date: November 27, 2014

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: 2.0.0

Vulnerability Type: Improper Access Control

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:H/RL:OF/RC:C

Problem Description: The extension fails to restrict resource-access via webdav protocol to only those resources the backend user has been granted access to.

Solution: Updated version 2.0.1 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/webdav/2.0.1/t3x/.

Credits: Credits go to extension maintainer Kay Strobach who discovered and reported the issue.

 

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Release Date: November 5, 2014

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: 4.18.0, 4.18.1, 4.18.2 and 4.18.3

Vulnerability Type: XSS

Severity: Low

Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:P/A:N/E:ND/RL:O/RC:C

References: PMASA-2014-11

Related CVE: CVE-2014-7217

Problem Description: Crafted database content can trigger XSS in table search and table structure pages.

Solution: An updated version 4.18.4 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/phpmyadmin/4.18.4/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: The vendor of the phpMyAdmin upstream software credits Ashutosh Dhundhara. Thanks to Andreas Beutel for providing a TYPO3 extension package with an updated phpMyAdmin version.

 

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.