==================================================================== CERT-Renater Note d'Information No. 2017/VULN244 _____________________________________________________________________ DATE : 07/09/2017 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running TYPO3 CMS versions 7, 8 prior to 7.6.22, 8.7.5. ===================================================================== https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2017-007/ https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2017-006/ https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2017-005/ https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2017-004/ ____________________________________________________________________ TYPO3-CORE-SA-2017-007: Arbitrary Code Execution in TYPO3 CMS September 05, 2017 Category: TYPO3 CMS Author: Oliver Hader Keywords: Security, Arbitrary Code Execution It has been discovered, that TYPO3 CMS is vulnerable to Arbitrary Code Execution. Component Type: TYPO3 CMS Release Date: September 5, 2017 Vulnerability Type: Arbitrary Code Execution Affected Versions: 7.6.0 to 7.6.21 and 8.0.0 to 8.7.4 Severity: None - High (depending on web server configuration) Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C CVE: not assigned yet Problem Description: Due to a missing file extension in the fileDenyPattern, backend user are allowed to upload *.pht files which can be executed in certain web server setups. The new default fileDenyPattern is the following, which might have been overridden in the TYPO3 Install Tool. \.(php[3-7]?|phpsh|phtml|pht)(\..*)?$|^\.htaccess$ Solution: Update to TYPO3 versions 7.6.22 or 8.7.5 that fix the problem described, make sure overridden settings for TYPO3_CONF_VARS/BE/fileDenyPattern are adjusted. Credits: Thanks to Maurizio Siddu who reported this issue and to TYPO3 core team member Susanne Moog who fixed the issue. General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note: All security related code changes are tagged so that you can easily look them up on our review system. ____________________________________________________________________ TYPO3-CORE-SA-2017-006: Information Disclosure in TYPO3 CMS September 05, 2017 Category: TYPO3 CMS Author: Oliver Hader Keywords: Security, Information Disclosure It has been discovered, that TYPO3 CMS is susceptible to Information Disclosure. Component Type: TYPO3 CMS Release Date: September 5, 2017 Vulnerability Type: Information Disclosure Affected Versions: 7.6.0 to 7.6.21 and 8.0.0 to 8.7.4 Severity: Low Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C CVE: not assigned yet Problem Description: HTTP requests being performed using the TYPO3 API expose the specific TYPO3 version to the called endpoint. Solution: Update to TYPO3 versions 7.6.22 or 8.7.5 that fix the problem described. Credits: Thanks to TYPO3 core team member Sascha Egerer who reported the issue and to TYPO3 core team member Susanne Moog who fixed the issue. General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note: All security related code changes are tagged so that you can easily look them up on our review system. ____________________________________________________________________ TYPO3-CORE-SA-2017-005: Information Disclosure in TYPO3 CMS September 05, 2017 Category: TYPO3 CMS Author: Oliver Hader Keywords: Security, Information Disclosure It has been discovered, that TYPO3 CMS is susceptible to Information Disclosure. Component Type: TYPO3 CMS Release Date: September 5, 2017 Vulnerability Type: Information Disclosure Affected Versions: 7.6.0 to 7.6.21 and 8.0.0 to 8.7.4 Severity: Low Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:OF/RC:C CVE: not assigned yet Problem Description: Failing to properly check user permission on file storages, editors could gain knowledge of protected storages and its folders as well as using them in a file collection being rendered in the frontend. A valid backend user account is needed to exploit this vulnerability. Solution: Update to TYPO3 versions 7.6.22 or 8.7.5 that fix the problem described. Credits: Thanks to Tobias Kummer who reported this issue and to TYPO3 core and security team member Georg Ringer who fixed the issue. General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note: All security related code changes are tagged so that you can easily look them up on our review system. ____________________________________________________________________ TYPO3-CORE-SA-2017-004: Cross-Site Scripting in TYPO3 CMS Backend September 05, 2017 Category: TYPO3 CMS Author: Oliver Hader Keywords: Security, Cross-Site Scripting It has been discovered, that TYPO3 CMS is vulnerable to Cross-Site Scripting. Component Type: TYPO3 CMS Release Date: September 5, 2017 Vulnerability Type: Cross-Site Scripting Affected Versions: 8.0.0 to 8.7.4 Severity: Low Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C CVE: not assigned yet Problem Description: Failing to properly encode user input, backend forms are vulnerable to Cross-Site Scripting. A valid backend user account is needed to exploit this vulnerability. Solution: Update to TYPO3 version 8.7.5 that fixes the problem described. Credits: Thanks to TYPO3 core and security team member Georg Ringer who reported and fixed the issue. General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note: All security related code changes are tagged so that you can easily look them up on our review system. ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================