=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2009/VULN140
_____________________________________________________________________

DATE                      : 08/04/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running A21glossary Advanced Output
                               for TYPO3, ClickStream Analyzer for TYPO3,
                               Directory Listing for TYPO3, Store
                               Locator for TYPO3, Userdata Create/Edit
                               for TYPO3, Versatile Calendar Extension
                               for TYPO3, ultraCards for TYPO3, Visitor
                               Tracking for TYPO3, Frontend User
                               Registration for TYPO3.

======================================================================
http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-005/
http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-004/
______________________________________________________________________

TYPO3 Collective Security Bulletin TYPO3-SA-2009-005: Several 
vulnerabilities in third party extensions

Release Date: April 6, 2009

Please read first: This Collective Security Bulletin (CSB) is a listing 
of vulnerable extensions with neither significant download numbers, nor 
other special importance amongst the TYPO3 Community. The intention of 
CSBs is to reduce the workload of the TYPO3 Security Team and of the 
maintainers of extensions with vulnerabilities. Nevertheless, 
vulnerabilities in TYPO3 core or important extensions will still get the 
well-known single Security Bulletin each.

Please read our buzz blog post, which has a detailed explanation on CSBs.

All vulnerabilities affect third party extensions. These extensions are 
not part of the TYPO3 default installation.



Extension: A21glossary Advanced Output (a21glossary_advanced_output)
Affected Versions: 0.1.11 and all versions below
Vulnerability Type: SQL Injection
Severity: High
Solution: An update (version 0.1.12) is available from the TYPO3 
extension manager and at 
http://typo3.org/extensions/repository/view/a21glossary_advanced_output/0.1.12/.
Credits: Credits go to Alexander Kellner und Steffen Müller, who 
discovered and reported the issue.



Extension: ClickStream Analyzer [output] (alternet_csa_out)
Affected Versions: 0.3.0 and all versions below
Vulnerability Type: Information Disclosure
Severity: Low
Solution: Versions of this extension that are known to be vulnerable 
will no longer be available for download from the TYPO3 Extension 
Repository. The author told us that he's no longer maintaining this 
extension. Please uninstall and delete all files belonging to it from 
your TYPO3 installation.
Credits: Credits go to Valery Romanchev, who discovered and reported the 
issue.



Extension: Directory Listing (dir_listing)
Affected Versions: 1.1.0 and all versions below
Vulnerability Type: Directory traversal
Severity: Medium
Solution: Versions of this extension that are known to be vulnerable 
will no longer be available for download from the TYPO3 Extension 
Repository. Please uninstall and delete all files belonging to it from 
your TYPO3 installation.
Note: This extensions has been removed from TER in March 2006 due to 
this vulnerability. However, it was possible to download it again in 
early 2009 because of a bug in the TYPO3 extension repository.
Credits: Credits go to Peter Athmann, who discovered and reported the 
issue once again.



Extension: Store Locator (locator)
Affected Versions: 1.2.6 and all versions below
Vulnerability Type: Cross-Site Scripting (XSS), SQL Injection
Severity: High
Solution: An update (version 1.2.8) is available from the TYPO3 
extension manager and at 
http://typo3.org/extensions/repository/view/locator/1.2.8/.
Note: At the time of writing, the most recent version of Store Locator 
is version 1.2.9 which is available at 
http://typo3.org/extensions/repository/view/locator/1.2.9/.
Credits: Credits go to Christian Weiske, who discovered and reported the 
issue.



Extension: Userdata Create/Edit (sg_userdata)
Affected Versions: 0.90.111 and all versions below
Vulnerability Type: Cross-Site Scripting (XSS)
Severity: Medium
Solution: An update (version 0.91.0) is available from the TYPO3 
extension manager and at 
http://typo3.org/extensions/repository/view/sg_userdata/0.91.0/.
Credits: Credits go to Alexander Kellner, who discovered and reported 
the issue.



Extension: Versatile Calendar Extension [VCE] (sk_calendar)
Affected Versions: 0.3.3 and all versions below
Vulnerability Type: SQL Injection
Severity: High
Solution: An update (version 0.3.4) is available from the TYPO3 
extension manager and at 
http://typo3.org/extensions/repository/view/sk_calendar/0.3.4/.
Credits: Credits go to Christian Seifert, who discovered and reported 
the issue.



Extension: ultraCards (th_ultracards)
Affected Versions: 0.5.0 and all versions below
Vulnerability Type: SQL Injection
Severity: High
Solution: An update (version 0.5.1) is available from the TYPO3 
extension manager and at 
http://typo3.org/extensions/repository/view/th_ultracards/0.5.1/.
Credits: Credits go to Alexander Kellner, who discovered and reported 
the issue.



Extension: Visitor Tracking (ws_stats)
Affected Versions: 0.1.1 and all versions below
Vulnerability Type: Cross-Site Scripting (XSS)
Severity: Medium
Solution: An update (version 0.1.2) is available from the TYPO3 
extension manager and at 
http://typo3.org/extensions/repository/view/ws_stats/0.1.2/.
Credits: Credits go to Christian Seifert, who discovered and reported 
the issue.

________________________________________________________________________


TYPO3 Security Bulletin TYPO3-SA-2009-004: Information Disclosure in
extension "Frontend User Registration" (sr_feuser_register)

Release Date: April 6, 2009

Component Type: Third party extension. This extension is not a part of a 
TYPO3 default installation.

Affected Versions: 2.5.20 and all versions below

Vulnerability Type: Information Disclosure

Severity: High

Problem Description: Failing to properly check access rights, the
extension is susceptible to information disclosure, making it possible
for a logged in frontend user to get hold of information (including the
password) of other frontend user records.

Solution: An updated version 2.5.21 is available from the TYPO3
extension manager and at 
http://typo3.org/extensions/repository/view/sr_feuser_register/2.5.21/. 
Users of the extension are advised to update the extension as soon as
possible.

Credits: Credits go to Thomas Renner and Christian Münch, who discovered
the issue and Steffen Gebert who reported it to us.



General advice: Follow the recommendations that are given in the TYPO3
Security Cookbook. Please subscribe to the typo3-announce mailing list
in order to receive future Security Bulletins via E-mail.


======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================