copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.0820 - [Win][UNIX/Linux] TYPO3: Cross-site scripting - Remote with user interaction

Date: 26 May 2014
References: ESB-2014.0858  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0820
       TYPO3-CORE-SA-2014-001: Multiple Vulnerabilities in TYPO3 CMS
                                26 May 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           TYPO3
Publisher:         TYPO3
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Cross-site Scripting           -- Remote with User Interaction
                   Provide Misleading Information -- Remote/Unauthenticated      
                   Access Confidential Data       -- Remote/Unauthenticated      
                   Unauthorised Access            -- Remote/Unauthenticated      
                   Reduced Security               -- Existing Account            
Resolution:        Patch/Upgrade

Original Bulletin: 
   http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2014-001/

- --------------------------BEGIN INCLUDED TEXT--------------------

TYPO3-CORE-SA-2014-001: Multiple Vulnerabilities in TYPO3 CMS

May 22, 2014

Category: TYPO3 CMS

Author: Helmut Hummel

Keywords: TYPO3 CMS, TYPO3-CORE-SA-2014-001, Cross-Site Scripting, Insecure 
Unserialize, Improper Session Invalidation, Authentication Bypass, Information
Disclosure, Host Spoofing

It has been discovered that TYPO3 CMS is vulnerable to Cross-Site Scripting, 
Insecure Unserialize, Improper Session Invalidation, Authentication Bypass, 
Information Disclosure and Host Spoofing.

Component Type: TYPO3 CMS

Vulnerability Types: Cross-Site Scripting, Insecure Unserialize, Improper 
Session Invalidation, Authentication Bypass, Information Disclosure and Host 
Spoofing

Overall Severity: Medium

Release Date: May 22, 2014

Vulnerability Type: Host Spoofing

Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13,
6.1.0 to 6.1.8 and 6.2.0 to 6.2.2

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:O/RC:C (What's that?)

CVE: not assigned yet

Problem Description: Failing to properly validate the HTTP host-header TYPO3 
CMS is susceptible to host spoofing. TYPO3 uses the HTTP host-header to 
generate absolute URLs in several places like 404 handling, http(s) 
enforcement, password reset links and many more. Since the host header itself
is provided by the client it can be forged to any value, even in a name based
virtual hosts environment. A blog post describes this problem in great detail.

Solution: Update to TYPO3 versions 4.5.34, 4.7.19, 6.0.14, 6.1.9 or 6.2.3 and
check or update your web server configuration as described below.

Additional Notes: These versions introduce a new configuration option:

$GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern']

This option can contain either the value "SERVER_NAME" or a regular expression
pattern that matches all host names that are considered trustworthy for the 
particular TYPO3 installation. "SERVER_NAME" is the default value shipped with
the above mentioned TYPO3 versions. With this option value in effect, TYPO3 
checks the currently submitted host-header against the SERVER_NAME variable. 
The SERVER_NAME variable contains trusted values in the following cases:

Apache Webserver: Apache is set up to use name based virtual hosts while the 
TYPO3 installation is part of one virtual host and not the default host. Only
values that are part of the ServerName or ServerAlias values in the virtual 
host configuration are then set as SERVER_NAME.

Nginx Webserver: Nginx is set up with different servers blocks while the TYPO3
installation is not part of the "catch all" server block. By default only the
first value of the server_name option is taken into account to populate the 
SERVER_NAME variable. If you specified more than one server name in your Nginx
configuration you have to additionally add the following configuration: 
fastcgi_param SERVER_NAME $host;

If TYPO3 is served by Apache from the default host, updating to the current 
TYPO3 versions is not enough! Apache then sets the SERVER_NAME variable 
directly to the (untrusted) host-header value. In such a setup you must either
set "UseCannonicalName yes" in your Apache configuration, or change the TYPO3
configuration option to a regular expression that matches all trusted host 
names in your TYPO3 installation.

IMPORTANT: We tried hard to avoid a breaking change with these new versions 
and at the same time deliver a secure default setup for most users. We may 
have missed edge cases (like other web servers than the above, or a complex 
reverse proxy setup) where the default configuration breaks your site after 
the update. If you have a (server) setup that is considerably different from 
the scenarios described above, you should test if your TYPO3 installation 
still works after the update with the provided default configuration.

Credits: Credits go to Security Team Member Helmut Hummel who discovered and 
reported the issue and to Wouter van Dongen who discovered and reported a 
particular exploit possibility. Vulnerable subcomponent: Color Picker Wizard

Vulnerability Type: Insecure Unserialize

Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13
and 6.1.0 to 6.1.8

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:N/I:P/A:P/E:F/RL:O/RC:C (What's that?)

CVE: not assigned yet

Problem Description: Failing to validate authenticity of a passed serialized 
string, the color picker wizard is susceptible to insecure unserialize, 
allowing authenticated editors to unserialize arbitrary PHP objects.

Solution: Update to TYPO3 versions 4.5.34, 4.7.19, 6.0.14 or 6.1.9 that fix 
the problem described. TYPO3 version 6.2 is not affected by this 
vulnerability.

Credits: Credits go to Security Team member Helmut Hummel who discovered and 
reported the issue.

Vulnerable subcomponent: Backend

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13,
6.1.0 to 6.1.8 and 6.2.0 to 6.2.2

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C (What's that?)

CVE: not assigned yet

Problem Description: Failing to properly encode user input, several backend 
components are susceptible to Cross-Site Scripting, allowing authenticated 
editors to inject arbitrary HTML or JavaScript by crafting URL parameters.

Solution: Update to TYPO3 versions 4.5.34, 4.7.19, 6.0.14, 6.1.9 or 6.2.3 that
fix the problem described.

Credits: Credits go to Security Team members Georg Ringer and Franz Jahn and 
Marc Bastian Heinrichs who discovered and reported the issues.

Vulnerable subcomponent: ExtJS

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13,
6.1.0 to 6.1.8 and 6.2.0 to 6.2.2

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C (What's that?)

CVE: not assigned yet

Problem Description: The ExtJS JavaScript framework that is shipped with TYPO3
also delivers a flash file to show charts. This file is susceptible to 
Cross-Site Scripting. This vulnerability can be exploited without any 
authentication.

Solution: Update to TYPO3 versions 4.5.34, 4.7.19, 6.0.14, 6.1.9 or 6.2.3 that
fix the problem described or delete the file 
typo3/contrib/extjs/resources/charts.swf as it is not used by TYPO3 at all.

Credits: Credits go to Ronald Klomp who discovered and reported the issue.

Vulnerable subcomponent: Authentication

Vulnerability Type: Improper Session Invalidation

Affected Versions: Versions 6.2.0 to 6.2.2

Severity: Low

Suggested CVSS v2.0: AV:L/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C (What's that?)

CVE: not assigned yet

Problem Description: Failing to properly invalidate user sessions that have 
timed out, it is possible to successfully transmit one authenticated request 
before the session finally is discarded.

Solution: Update to TYPO3 version 6.2.3 that fix the problem described.

Credits: Credits go to Markus Klein who discovered and reported the issue.

Vulnerability Type: Authentication Bypass

Affected Versions: All TYPO3 versions not configured to use salted passwords

Severity: medium

Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C (What's that?)

CVE: not assigned yet

Problem Description: When the use of salted password is disabled (which is 
enabled by default since TYPO3 4.6 and required since TYPO3 6.2) passwords for
backend access are stored as md5 hash in the database. This hash (e.g. taken 
from a successful SQL injection) can be used directly to authenticate backend
users without knowing or reverse engineering the password.

Solution: Update to TYPO3 version 6.2 or higher or configure TYPO3 to make use
of salted passwords by installing and configuring the saltepasswords system 
component.

Note: In TYPO3 version 6.2 it is still possible to disable password salt 
hashing for frontend users. It should be apparent that such setup is insecure
and not recommended.

Vulnerable subcomponent: Extbase Framework

Vulnerability Type: Information Disclosure

Affected Versions: Versions 6.2.0 to 6.2.2

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:O/RC:C (What's that?)

CVE: not assigned yet

Problem Description: Failing to respect user groups of logged in users when 
caching queries, Extbase is susceptible to information disclosure. The query 
caching (introduced in Extbase 6.2) used to cache queries that query results 
for a specific user group were presented to a different group.

Solution: Update to TYPO3 version 6.2.3 that fix the problem described.

Credits: Credits go to Jan Kiesewetter who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 
Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can 
easily look them up on our review system.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU4LTohLndAQH1ShLAQLtGg//cbbnLqLzfRelzg+/tfNFiaCngHBj3gGk
fhpIxvN667N4LR3sNhDjjyyAvlje3twgP3qMfMbuBCM7EYPeA8SfEl+PgrEsHOA9
Bxx8dv0+XefngVU1kmnyidUWVk5YEU6NOaBRepw1eum4f0JILDHNPg9BrFwlB5ec
EWjONgFk+r+oq2vjjadoHjgIMkJzHwp74SzCrfU/IbULpYEEFOhsWkzlj8irqGHD
IyeNFXQf/my+reckajuEKGfZ3c6nyZWGzYSNLAN7HFJPpe5B50T4G5jv2w58oIe5
HQotCCJDhiLeOkM7RfxQWHm1UHCt4vbKKTpQaTZvZyYZ/S5y/o/UobJMGRlV1icZ
BpdDQ8SuoOjpUbgxcl8pCj87XXQPmA6M5fKEQ27uzKMBYFJfUXG/meJzoSbPsrTw
jXqsKSsy6/w9mLdMOqypG7S4KVrfdehUaf1ySz6rD3HwHYryqdwqhE1EygNjgsyF
1Gzuc7LcIjLESVSs6MRPeRMEWc7dvQ7XzgSZUj4mER/1psTnH3HTqqESwhMJ6q27
Oiud6lNBMpKc+LwNsjHwiaEGRcps7ndl8noA3Fj+WWSCmQmZNzLRkpMHoXT2tb2S
vJt0r+rEZUm5x6bztRmUSe7xuLqK40Mai09genwBIPZuoB9RVSf9hIYUUdvt67qK
5ND+DEZOQJs=
=Bp6Y
-----END PGP SIGNATURE-----