====================================================================

                             CERT-Renater

                 Note d'Information No. 2019/VULN416
_____________________________________________________________________

DATE                : 17/12/2019

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running MKSamlAuth for TYPO3,
                       Change password for frontend users for TYPO3,
                       File List for TYPO3,
                       femanager direct mail subscription for TYPO3,
                       femanager for TYPO3.

=====================================================================
https://typo3.org/security/advisory/typo3-ext-sa-2019-019/
https://typo3.org/security/advisory/typo3-ext-sa-2019-020/
https://typo3.org/security/advisory/typo3-ext-sa-2019-021/
https://typo3.org/security/advisory/typo3-ext-sa-2019-022/
https://typo3.org/security/advisory/typo3-ext-sa-2019-023/
_____________________________________________________________________

 Tue. 17th December, 2019
TYPO3-EXT-SA-2019-019: Multiple vulnerabilities in extension
"MKSamlAuth" (mksamlauth)
Categories: Development Created by Torben Hansen

It has been discovered that the extension "MKSamlAuth" (mksamlauth) is
susceptible to Broken Authentication and Authentication Bypass.

    Release Date: December 17, 2019
    Component Type: Third party extension. This extension is not a part
                    of the TYPO3 default installation.
    Vulnerability Type: Broken Authentication, Authentication Bypass
    Affected Versions: 9.5.2 - 9.5.0 and 8.7.1 - 8.7.0
    Severity: High
    Suggested CVSS v3.1:
                       AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N/E:F/RL:O/RC:C
    CVE: Not assigned yet


Problem Description

The extension fails to validate the response from the Identity Provider
which allows an attacker to create various frontend users on affected
TYPO3 websites.

The authentication service allows to bypass frontend user authentication
by providing a valid username with an empty password, if a SAML
configuration is not created for the current website domain.


Solution

Updated versions 9.5.3 and 8.7.2 are available from the TYPO3 extension
manager, Packagist and at
https://extensions.typo3.org/extension/download/mksamlauth/9.5.3/zip/
https://extensions.typo3.org/extension/download/mksamlauth/8.7.2/zip/
Users of the extension are advised to update the extension as soon as
possible.

Note: It was not possible to fix the security issues without breaking
changes. It is at least required to reconfigure the SAML configuration
record(s) in the TYPO3 backend, because one configuration field has been
added in order to mitigate the broken authentication issue.

Also note, that the new extension version in the TYPO3 Extension
Repository does not bundle all required dependencies. The extension only
works using TYPO3 in composer mode.


Credits

Credits go to Helmut Hummel who discovered and reported the
vulnerability.


General Advice

Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.

_____________________________________________________________________

 Tue. 17th December, 2019
TYPO3-EXT-SA-2019-020: CSRF in extension "Change password for frontend
users" (fe_change_pwd)
Categories: Development Created by Torben Hansen

It has been discovered that the extension "Change password for frontend
users" (fe_change_pwd) is susceptible to Cross-Site-Request-Forgery
(CSRF).

    Release Date: December 17, 2019
    Component Type: Third party extension. This extension is not a part
                    of the TYPO3 default installation.
    Vulnerability Type: Cross-Site-Request-Forgery
    Affected Versions: 1.4.1 and below
    Severity: Medium
    Suggested CVSS v3.1:
                       AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N/E:F/RL:O/RC:C
    CVE: Not assigned yet


Problem Description

The extension fails to implement a CSRF protection for update password
action.


Solution

An updated version 1.5.0 is available from the TYPO3 extension manager,
Packagist and at
https://extensions.typo3.org/extension/download/fe_change_pwd/1.5.0/zip/
Users of the extension are advised to update the extension as soon as
possible.

Note: In case template Edit.html has been modified individually, you
must add <f:form.hidden property="changeHmac" /> right after the
<f:form> tag in your template.


Credits

Credits go to Security Team Member Torben Hansen who discovered and
reported the vulnerability.


General Advice

Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.

_____________________________________________________________________

 Tue. 17th December, 2019
TYPO3-EXT-SA-2019-021: Cross Site Scripting in extension "File List"
(file_list)
Categories: Development Created by Torben Hansen

It has been discovered that the extension "File List" (file_list) is
susceptible to Cross Site Scripting.

    Release Date: December 17, 2019
    Component Type: Third party extension. This extension is not a part
                    of the TYPO3 default installation.
    Vulnerability Type: Cross Site Scripting
    Affected Versions: 2.3.1 and below
    Severity: Medium
    Suggested CVSS v3.1:
                       AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
    CVE: Not assigned yet


Problem Description

The extension fails to properly encode user input for output in HTML
context.


Solution

An updated version 2.3.2 is available from the TYPO3 extension manager,
Packagist and at
https://extensions.typo3.org/extension/download/file_list/2.3.2/zip
Users of the extension are advised to update the extension as soon as
possible.


Credits

Credits go to Marcus Schwemer who discovered and reported the
vulnerability.


General Advice

Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.

_____________________________________________________________________

 Tue. 17th December, 2019
TYPO3-EXT-SA-2019-022: Privilege Escalation in extension "femanager
direct mail subscription" (femanager_dmail_subscribe)
Categories: Development Created by Torben Hansen

It has been discovered that the extension "femanager direct mail
subscription" (femanager_dmail_subscribe) is susceptible to Privilege
Escalation.

    Release Date: December 17, 2019
    Component Type: Third party extension. This extension is not a part
                    of the TYPO3 default installation.
    Vulnerability Type: Privilege Escalation
    Affected Versions: 2.1.2 - 2.1.0
    Severity: Medium
    Suggested CVSS v3.1:
                       AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:F/RL:O/RC:C
    CVE: Not assigned yet


Problem Description

Failing to properly check access rights, the extension is susceptible to
privilege escalation, making it possible for a logged in frontend user
to modify other frontend user records.


Solution

An updated version 2.1.3 is available from the TYPO3 extension manager,
Packagist and at
https://extensions.typo3.org/extension/download/femanager_dmail_subscribe/2.1.3/zip
Users of the extension are advised to update the extension as soon as
possible.


Credits

Credits go to Alexander Kellner who discovered and reported the
vulnerability.


General Advice

Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.

_____________________________________________________________________

 Tue. 17th December, 2019
TYPO3-EXT-SA-2019-023: CSRF in extension "femanager" (femanager)
Categories: Development Created by Torben Hansen

It has been discovered that the extension "femanager" (femanager) is
susceptible to Cross-Site-Request-Forgery (CSRF).

    Release Date: December 17, 2019
    Component Type: Third party extension. This extension is not a part
                    of the TYPO3 default installation.
    Vulnerability Type: Cross-Site Request Forgery
    Affected Versions: 5.1.1 and below
    Severity: Medium
    Suggested CVSS v3.1:
                       AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N/E:F/RL:O/RC:C
    CVE: Not assigned yet


Problem Description

The extension fails to implement a CSRF protection for edit and delete
actions.


Solution

An updated version 5.2.0 is available from the TYPO3 extension manager,
Packagist and at
https://extensions.typo3.org/extension/download/femanager/5.2.0/zip
Users of the extension are advised to update the extension as soon as
possible.

Note: Make sure to read the release notes, since manual templates
changes are required in case template Templates/Edit/Edit.html or
Partials/Misc/DeleteLink.html have been modified individually.


Credits

Credits go to Helmut Hummel who discovered and reported the
vulnerability.


General Advice

Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================