==================================================================== CERT-Renater Note d'Information No. 2012/VULN169 ____________________________________________________________________ DATE : 29/03/2012 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running TYPO3 Core versions 4.4.0 up to 4.4.13, 4.5.0 up to 4.5.13, 4.6.0 up to 4.6.6 and development releases of the 4.7 and 6.0 branch. ====================================================================== http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-001/ ______________________________________________________________________ TYPO3 Security Bulletin TYPO3-CORE-SA-2012-001: Several Vulnerabilities in TYPO3 Core Component Type: TYPO3 Core Affected Versions: 4.4.0 up to 4.4.13, 4.5.0 up to 4.5.13, 4.6.0 up to 4.6.6 and development releases of the 4.7 and 6.0 branch. Vulnerability Types: Cross-Site Scripting, Information Disclosure, Insecure Unserialize Overall Severity: Medium Release Date: March 28, 2012 Vulnerable subcomponent: Extbase Framework Affected Versions: Versions 4.4.x and 4.5.x are not affected by this vulnerabilty. Vulnerability Type: Insecure Unserialize Severity: Medium Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C (What's that?) Problem Description: Due to a missing signature (HMAC) for a request argument, an attacker could unserialize arbitrary objects within TYPO3. To our knowledge it is neither possible to inject code through this vulnerability, nor are there exploitable objects within the TYPO3 Core. However, there might be exploitable objects within third party extensions. Solution: Update to the TYPO3 version 4.6.7 that fix the problem described! Note: The same problem applies to FLOW3. Read the according advisory TYPO3-FLOW3-SA-2012-001 for more information. Credits: Credits go to Security Team Member Helmut Hummel who discovered and reported the issue. Vulnerable subcomponent: TYPO3 Backend Vulnerability Type: Cross-Site Scripting Severity: Medium Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C (What's that?) Problem Description: Failing to properly HTML-encode user input in several places, the TYPO3 backend is susceptible to Cross-Site Scripting. A valid backend user is required to exploit these vulnerabilities. Solution: Update to the TYPO3 versions 4.4.14, 4.5.14 or 4.6.7 that fix the problem described! Important Note: With these TYPO3 versions the description field of the filelink content element is HTML encoded by default. If you allowed editors to enter HTML code in this field, you may want to add the following line to your TypoScript template, before updating. tt_content.uploads.20.itemRendering.20.2.htmlSpecialChars = 0 Allowing HTML in this field is discouraged for editors, same as allowing the plain HTML content element. Credits: Credits go to Security Team Members Georg Ringer and Oliver Klee who discovered and reported the issues. Vulnerable subcomponent: TYPO3 Command Line Interface Vulnerability Type: Information Disclosure Severity: Low Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C (What's that?) Problem Description: Accessing a CLI Script directly with a browser may disclose the database name used for the TYPO3 installation. Solution: Update to the TYPO3 versions 4.4.14, 4.5.14 or 4.6.7 that fix the problem described! Credits: Credits go to Chris John Riley who discovered and reported the issue. Vulnerable subcomponent: TYPO3 HTML Sanitizing API Vulnerability Type: Cross-Site Scripting Severity: Medium Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C (What's that?) Problem Description: By not removing non printable characters, the API method t3lib_div::RemoveXSS() fails to filter specially crafted HTML injections, thus is susceptible to Cross-Site Scripting. Note: Developers should never rely on the blacklist of RemoveXSS() alone, but should always properly encode user input before outputting it again. Solution: Update to the TYPO3 versions 4.4.14, 4.5.14 or 4.6.7 that fix the problem described! Credits: Credits go to Marc Wöhlken who discovered and reported the issue. General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================