=====================================================================

                           CERT-Renater

               Note d'Information No. 2014/VULN241
_____________________________________________________________________

DATE                : 24/10/2014

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running TYPO3 versions prior to 4.5.37,
                             4.7.20, 6.1.12, 6.2.6 .

======================================================================
http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2014-002/
______________________________________________________________________


TYPO3-CORE-SA-2014-002: Multiple Vulnerabilities in TYPO3 CMS

October 22, 2014

Category: TYPO3 CMS
Author: Marcus Krause
Keywords: TYPO3 CMS, TYPO3-CORE-SA-2014-002, Denial of Service, Arbitray
Shell Execution


It has been discovered that TYPO3 CMS is vulnerable to Denial of
Service and Arbitrary Shell Execution!


Component Type: TYPO3 CMS

Vulnerability Types: Denial of Service, Arbitrary Shell Execution

Overall Severity: Medium

Release Date: October 22, 2014


Vulnerable subcomponent: OpenID System Extension

Vulnerability Type: Denial of Service

Affected Versions: Versions 4.5.0 to 4.5.36, 4.7.0 to 4.7.19, 6.1.0 to
6.1.11 and 6.2.0 to 6.2.5

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:OF/RC:C

Related CVE: CVE-2013-4701

Problem Description: The OpenID library that is shipped with TYPO3
allows remote attackers to read arbitrary files, send HTTP requests to
intranet servers, or cause a denial of service (CPU and memory
consumption) via XRDS data containing an external entity declaration in
conjunction with an entity reference, related to an XML External Entity
(XXE) issue. Affected are all TYPO3 installation with system extension
openid installed and enabled.

Solution: Update to TYPO3 versions 4.5.37, 4.7.20, 6.1.12 or 6.2.6 that
fix the problem described.

Solution: Alternatively disabling openid system extension also fixes
the vulnerability in case an update is currently not possible. However
it is unlikely but possible that other third party extensions use the
OpenID library exposing this TYPO3 installation to this vulnerability
again. Therefore updating is strongly recommended.

Solution: TYPO3 branches 4.6 and 6.0 are also affected by this
vulnerability but have reached end of maintenance. We hereby provide
patches for the these branches: 62357_4-6.diff, 62357_6-0.diff

Solution:Since the fix has also been committed to our git source code
repository also in the 4.6 and 6.0 branches, updating your installation
to the latest state of the according branch also fixes the
vulnerability.

Credits: The vendor credits Kousuke Ebihara.



Vulnerable subcomponent: Swiftmailer library

Vulnerability Type: Arbitrary Shell Execution

Affected Versions: Versions 4.5.0 to 4.5.36, 4.7.0 to 4.7.19, 6.1.0 to
6.1.11 and 6.2.0 to 6.2.5

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:ND/RL:OF/RC:C

Related announcement: Swiftmailer release 5.2.1

Problem Description: The swiftmailer library in use allows to execute
arbitrary shell commands if the "From" header comes from a non-trusted
source and no "Return-Path" is configured. Affected are only TYPO3
installation the configuration option

$GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport']

is set to "sendmail". Installations with the default configuration are
not affected.

Solution: Update to TYPO3 versions 4.5.37, 4.7.20, 6.1.12 or 6.2.6 that
fix the problem described.

Solution:TYPO3 branches 4.6 and 6.0 are also affected by this
vulnerability but have reached end of maintenance. We hereby provide
patches for the these branches: 59573_4-6.diff, 59573_6-0.diff

Solution: Since the fix has also been committed to our git source code
repository also in the 4.6 and 6.0 branches, updating your installation
to the latest state of the according branch also fixes the
vulnerability.

General Advice: Follow the recommendations that are given in the TYPO3
Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you
can easily look them up on our review system.

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================