==================================================================== CERT-Renater Note d'Information No. 2020/VULN272 _____________________________________________________________________ DATE : 15/05/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running "phpMyAdmin" for TYPO3 versions prior to 5.6.2, Direct Mail (ext:direct_mail) for TYPO3 versions prior to 5.2.4, gForum (ext:g_forum) for TYPO3 versions up to and including 0.0.29, Job Fair (ext:jobfair) for TYPO3 versions up to and including 1.0.12, SVG Sanitizer (ext:svg_sanitizer) for TYPO3 versions prior to 1.0.3. ===================================================================== https://typo3.org/security/advisory/typo3-ext-sa-2020-004 https://typo3.org/security/advisory/typo3-ext-sa-2020-005 https://typo3.org/security/advisory/typo3-ext-sa-2020-006 https://typo3.org/security/advisory/typo3-ext-sa-2020-007 https://typo3.org/security/advisory/typo3-ext-sa-2020-008 _____________________________________________________________________ Tue. 12th May, 2020 TYPO3-EXT-SA-2020-004: SQL Injection in extension "phpMyAdmin" (phpmyadmin) Categories: Development, Security Created by Torben Hansen It has been discovered that the extension "phpMyAdmin" (phpmyadmin) is susceptible to SQL Injection. Release Date: May 12, 2020 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Component: phpMyAdmin (ext:phpmyadmin) Vulnerability Type: SQL Injection Affected Versions: 5.6.1 and below Severity: High Suggested CVSS v3.1: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H References: CVE-2020-10802, CVE-2020-10803 and CVE-2020-10804 Problem Description Multiple vulnerabilities have been found in the phpMyAdmin component. PMASA-2020-2 - SQL injection with processing username PMASA-2020-3 - SQL injection relating to searching PMASA-2020-4 - SQL injection relating to data display Solution An updated version 5.6.2 is available from the TYPO3 extension manager and at https://extensions.typo3.org/extension/download/phpmyadmin/5.6.2/zip/ Users of the extension are advised to update the extension as soon as possible. Note: In general the TYPO3 Security Team recommends to not use any extension that bundles database or file management tools on production TYPO3 websites. Credits Thanks to Andreas Beutel for providing a TYPO3 extension package with an updated phpMyAdmin version. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. _____________________________________________________________________ Tue. 12th May, 2020 TYPO3-EXT-SA-2020-005: Multiple vulnerabilities in extension "Direct Mail" (direct_mail) Categories: Development, Security Created by Torben Hansen It has been discovered that the extension "Direct Mail" (direct_mail) is susceptible to Denial of Service, Broken Access Control, Open Redirect and Information Disclosure. Release Date: May 12, 2020 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Component: Direct Mail (ext:direct_mail) Vulnerability Type: Denial of Service, Broken Access Control, Open Redirect and Information Disclosure Affected Versions: 5.2.3 and below Severity: High Suggested CVSS v3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H/E:F/RL:O/RC:C References: CVE-2020-12697, CVE-2020-12698, CVE-2020-12699 and CVE-2020-12700 Problem Description Denial of Service (CVE-2020-12697) The extension provides a functionality to log clicks on links in sent newsletters. This functionality does not limit the amount of log entries generated per link, so it is possible to use a valid link to fill the log table with a huge amount of records. Broken Access Control (CVE-2020-12698) The extension fails to check if an authenticated backend user has access to newsletter subscriber tables (e.g. tt_address, fe_users) when using the CSV export function of the extension. Open Redirect (CVE-2020-12699) The extension does not properly implement “jumpUrl” handling, resulting in an Open Redirect for links sent in newsletters. Information Disclosure (CVE-2020-12700) The extension fails to check if an authenticated backend user has access to pages with newsletter subscriber data when using the "Special query" feature. Exploiting this issue leads to information disclosure, since it is possible to use the CSV export function of the extension to export subscriber data from pages the backend user does not have access to. Solution An updated version 5.2.4 is available from the TYPO3 extension manager and at https://extensions.typo3.org/extension/download/direct_mail/5.2.4/zip/ Users of the extension are advised to update the extension as soon as possible. Credits Thanks to Gernot Leitgab for reporting the Information Disclosure Issue, Kurt Dirnbauer for reporting the Open Redirect Issue, TYPO3 security team member Torben Hansen for reporting the Denial of Service Issue and Ivan Kartolo for reporting the Broken Access Control issue and providing a fixed version of the extension. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. _____________________________________________________________________ Tue. 12th May, 2020 TYPO3-EXT-SA-2020-006: Broken Access Control in extension "gForum" (g_forum) Categories: Development, Security Created by Torben Hansen It has been discovered that the extension "gForum" (g_forum) is susceptible to Broken Access Control. Release Date: May 12, 2020 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Component: gForum (ext:g_forum) Vulnerability Type: Broken Access Control Affected Versions: 0.0.29 and below Severity: High Suggested CVSS v3.1: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:F/RL:U/RC:C References: None Problem Description The extension fails to check access rights of authenticated frontend users allowing to create, edit and delete various records of the extension without proper permission. Solution All versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository, since the extension is abandoned and has no extension maintainer anymore. Please uninstall and delete the extension folder from your installation and search on the TYPO3 Extension Repository for alternative extensions. Credits Thanks to TYPO3 security team member Torben Hansen for discovering and reporting the vulnerability. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. _____________________________________________________________________ Tue. 12th May, 2020 TYPO3-EXT-SA-2020-007: Sensitive Data Exposure in extension "Job Fair" (jobfair) Categories: Development, Security Created by Torben Hansen It has been discovered that the extension "Job Fair" (jobfair) is susceptible to Sensitive Data Exposure. Release Date: May 12, 2020 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Component: Job Fair (ext:jobfair) Vulnerability Type: Sensitive Data Exposure Affected Versions: 1.0.12 and below Severity: Medium Suggested CVSS v3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:U/RC:C References: none Problem Description The extension fails to protect or obfuscate filenames of uploaded files. This allows unauthenticated users to download files with sensitive data by simply guessing the filename of uploaded files (e.g uploads/tx_jobfair/cv.pdf). Solution All versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author failed in providing a security fix for the reported vulnerability in a decent amount of time. Please uninstall and delete the extension folder from your installation and search on the TYPO3 Extension Repository for alternative extensions. Credits Thanks to Albrecht Köhnlein for discovering and reporting the vulnerability. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. _____________________________________________________________________ Tue. 12th May, 2020 TYPO3-EXT-SA-2020-008: Cross-Site Scripting in "SVG Sanitizer" (svg_sanitizer) Categories: Development, Security Created by Oliver Hader It has been discovered that the extension "SVG Sanitizer" (svg_sanitizer) is vulnerable to Cross-Site Scripting. Release Date: May 12, 2020 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Component: SVG Sanitizer (ext:svg_sanitizer) Vulnerability Type: Cross-Site Scripting Affected Versions: 1.0.2 and below Severity: Medium Suggested CVSS v3.1: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C References: CVE-2020-11070, CWE-79 Problem Description Slightly invalid or incomplete SVG markup is not correctly processed and thus not sanitized at all. Albeit the markup is not valid it is still evaluated in browsers can lead to Cross-Site Scripting. Solution An updated version 1.0.3 is available from the TYPO3 extension manager and at https://extensions.typo3.org/extension/download/svg_sanitizer/1.0.3/zip/ Users of the extension are advised to update the extension as soon as possible. Credits Thanks to Matteo Bonaker who reported this issue and to TYPO3 merger Frank Nägler who fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================