==================================================================== CERT-Renater Note d'Information No. 2016/VULN071 _____________________________________________________________________ DATE : 23/02/2016 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running TYPO3 versions 6.2, 7.6 prior to 6.2.19, 7.6.4. ====================================================================== https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-001 https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-002 https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-003 https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-004 https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-005 https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-006 https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-007 https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-008 _____________________________________________________________________ TYPO3-CORE-SA-2016-001: SQL Injection in dbal February 16, 2016 Category: TYPO3 CMS Author: Nicole Cordes Keywords: TYPO3 CMS, SQL Injection It has been discovered, that TYPO3 is susceptible to SQL Injection Component Type: TYPO3 CMS Release Date: February 16, 2016 Vulnerable subcomponent: Dbal Vulnerability Type: SQL Injection Affected Versions: Versions 6.2.0 to 6.2.17 Severity: High Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:C/I:P/A:N/E:F/RL:O/RC:C CVE: not assigned yet Problem Description: A flaw in the database escaping API results in a SQL injection vulnerability when extension dbal is enabled and configured for MySQL passthrough mode in its extension configuration. All queries which use the DatabaseConnection::sql_query are vulnerable, even if arguments were properly escaped with DatabaseConnection::quoteStr beforehand. Solution: Update to TYPO3 versions 6.2.18 that fix the problem described. Credits: Thanks to Mohamed Rebai who discovered and reported the issue. General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note: All security related code changes are tagged so that you can easily look them up on our review system. - ------------------------------------------------------------------------------- TYPO3-CORE-SA-2016-002: Cross-Site Scripting in link validator component February 16, 2016 Category: TYPO3 CMS Author: Helmut Hummel Keywords: TYPO3 CMS, Cross-Site Scripting It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting Component Type: TYPO3 CMS Release Date: February 16, 2016 Vulnerable subcomponent: link validator Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 6.2.0 to 6.2.17 and 7.6.0 to 7.6.2 Severity: Low Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C CVE: not assigned yet Problem Description: Failing to sanitize content from editors, the link validator component is susceptible to Cross-Site Scripting. A valid editor account with access to content which is scanned by the link validator component is required to exploit this vulnerability Solution: Update to TYPO3 versions 6.2.18 or 7.6.3 that fix the problem described. Credits: Thanks to Steffen Mller who discovered and reported the issue. General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note: All security related code changes are tagged so that you can easily look them up on our review system. - ------------------------------------------------------------------------------- TYPO3-CORE-SA-2016-003: Cross-Site Scripting in legacy form component February 16, 2016 Category: TYPO3 CMS Author: Helmut Hummel Keywords: TYPO3 CMS, Cross-Site Scripting It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting Component Type: TYPO3 CMS Release Date: February 16, 2016 Vulnerable subcomponent: legacy form component Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 6.2.0 to 6.2.17 Severity: Low Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C CVE: not assigned yet Problem Description: Failing to sanitize content from editors, the legacy form component is susceptible to Cross-Site Scripting. A valid editor account with access to a form content element is required to exploit this vulnerability. Solution: Update to TYPO3 version 6.2.18 that fixes the problem described. Credits: Thanks to Georg Ringer who discovered and reported the issue. General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note: All security related code changes are tagged so that you can easily look them up on our review system. - ------------------------------------------------------------------------------- TYPO3-CORE-SA-2016-004: Cross-Site Scripting in form component February 16, 2016 Category: TYPO3 CMS Author: Helmut Hummel It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting Component Type: TYPO3 CMS Release Date: February 16, 2016 Vulnerable subcomponent: form component Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 6.2.0 to 6.2.17 Severity: Low Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C CVE: not assigned yet Problem Description: Failing to sanitize content from unauthenticated website visitors, the form component is susceptible to Cross-Site Scripting. Solution: Update to TYPO3 version 6.2.18 that fixes the problem described. Credits: Thanks to David Vieira-Kurz who discovered and reported the issue. General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note: All security related code changes are tagged so that you can easily look them up on our review system. - ------------------------------------------------------------------------------- TYPO3-CORE-SA-2016-005: XML External Entity (XXE) Processing in TYPO3 Core February 23, 2016 Category: TYPO3 CMS Author: Nicole Cordes It has been discovered, that TYPO3 is susceptible to XML External Entity Processing Component Type: TYPO3 CMS Release Date: February 23, 2016 Vulnerable subcomponent: TYPO3 CMS Vulnerability Type: XML External Entity Processing Affected Versions: Versions 6.2.0 to 6.2.18 and 7.6.0 to 7.6.3 Severity: Low Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:P/RL:O/RC:C CVE: not assigned yet Problem Description: All XML processing within the TYPO3 CMS are vulnerable to XEE processing. This can lead to load internal and/or external (file) content within an XML structure. Furthermore it is possible to inject arbitrary files for an XML Denial of Service attack. For more information on that topic see https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing. Solution: Update to TYPO3 versions 6.2.19 or 7.6.4 that fix the problem described. Important Note: Systems using a PHP version with libxml2 >= 2.9 should be protected by default. Since version 2.9 the library changed its behavior to disallow external entity processing by default. Credits: Thanks to security team member Marcus Krause who discovered and reported the issue. General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note: All security related code changes are tagged so that you can easily look them up on our review system. - ------------------------------------------------------------------------------- TYPO3-CORE-SA-2016-006: Cross-Site Scripting in TYPO3 component Backend February 23, 2016 Category: TYPO3 CMS Author: Nicole Cordes It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting. Component Type: TYPO3 CMS Release Date: February 23, 2016 Vulnerable subcomponent: Backend Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 6.2.0 to 6.2.18 Severity: Low Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:P/E:P/RL:O/RC:C CVE: not assigned yet Problem Description: Failing to properly encode incoming data, the bookmark toolbar is susceptible to Cross-Site Scripting. Solution: Update to TYPO3 version 6.2.19 that fixes the problem described. Credits: Thanks to Filipe Reis who discovered and reported the issue. General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note: All security related code changes are tagged so that you can easily look them up on our review system. - ------------------------------------------------------------------------------- TYPO3-CORE-SA-2016-007: Cross-Site Scripting in TYPO3 component CSS styled content February 23, 2016 Category: TYPO3 CMS Author: Nicole Cordes It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting. Component Type: TYPO3 CMS Release Date: February 23, 2016 Vulnerable subcomponent: CSS styled content Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 6.2.0 to 6.2.18 and 7.6.0 to 7.6.3 Severity: Medium Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:P/RL:O/RC:C CVE: not assigned yet Problem Description: Failing to properly encode user input, the CSS styled content component is susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML or JavaScript. Solution: Update to TYPO3 versions 6.2.19 or 7.6.4 that fix the problem described. Credits: Thanks to Jakub Galczyk who discovered and reported the issue. General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note: All security related code changes are tagged so that you can easily look them up on our review system. - ------------------------------------------------------------------------------- TYPO3-CORE-SA-2016-008: Denial of Service attack possibility in TYPO3 component Indexed Search February 23, 2016 Category: TYPO3 CMS Author: Nicole Cordes It has been discovered, that TYPO3 is susceptible to a Denial of Service attack. Component Type: TYPO3 CMS Release Date: February 23, 2016 Vulnerable subcomponent: Indexed Search Vulnerability Type: Denial of Service attack Affected Versions: Versions 6.2.0 to 6.2.18 and 7.6.0 to 7.6.3 Severity: High Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C CVE: not assigned yet Problem Description: Due to an oversized maximum result limit, TYPO3 component Indexed Search is susceptible to a Denial of Service attack. Solution: Update to TYPO3 versions 6.2.19 or 7.6.4 that fix the problem described. Credits: Thanks to Jonas Felix who discovered and reported the issue. General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note: All security related code changes are tagged so that you can easily look them up on our review system. ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================