copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2016.0462 - [Win][UNIX/Linux] TYPO3: Multiple vulnerabilities

Date: 24 February 2016

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0462
        Multiple vulnerabilities have been identified in TYPO3 CMS
                             24 February 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           TYPO3
Publisher:         TYPO3
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Denial of Service               -- Remote/Unauthenticated      
                   Cross-site Scripting            -- Remote with User Interaction
                   Access Confidential Data        -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade

Original Bulletin: 
   https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-001
   https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-002
   https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-003
   https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-004
   https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-005
   https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-006
   https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-007
   https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-008

Comment: This bulletin contains eight (8) TYPO3 security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

TYPO3-CORE-SA-2016-001: SQL Injection in dbal

February 16, 2016

Category: TYPO3 CMS

Author: Nicole Cordes

Keywords: TYPO3 CMS, SQL Injection

It has been discovered, that TYPO3 is susceptible to SQL Injection

Component Type: TYPO3 CMS

Release Date: February 16, 2016

Vulnerable subcomponent: Dbal

Vulnerability Type: SQL Injection

Affected Versions: Versions 6.2.0 to 6.2.17

Severity: High

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:C/I:P/A:N/E:F/RL:O/RC:C

CVE: not assigned yet

Problem Description: A flaw in the database escaping API results in a SQL 
injection vulnerability when extension dbal is enabled and configured for 
MySQL passthrough mode in its extension configuration. All queries which use 
the DatabaseConnection::sql_query are vulnerable, even if arguments were 
properly escaped with DatabaseConnection::quoteStr beforehand.

Solution: Update to TYPO3 versions 6.2.18 that fix the problem described.

Credits: Thanks to Mohamed Rebai who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 
Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can 
easily look them up on our review system.

- -------------------------------------------------------------------------------

TYPO3-CORE-SA-2016-002: Cross-Site Scripting in link validator component

February 16, 2016

Category: TYPO3 CMS

Author: Helmut Hummel

Keywords: TYPO3 CMS, Cross-Site Scripting

It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting

Component Type: TYPO3 CMS

Release Date: February 16, 2016

Vulnerable subcomponent: link validator

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 6.2.0 to 6.2.17 and 7.6.0 to 7.6.2

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to sanitize content from editors, the link 
validator component is susceptible to Cross-Site Scripting. A valid editor 
account with access to content which is scanned by the link validator 
component is required to exploit this vulnerability

Solution: Update to TYPO3 versions 6.2.18 or 7.6.3 that fix the problem 
described.

Credits: Thanks to Steffen Mller who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 
Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can 
easily look them up on our review system.

- -------------------------------------------------------------------------------
TYPO3-CORE-SA-2016-003: Cross-Site Scripting in legacy form component

February 16, 2016

Category: TYPO3 CMS

Author: Helmut Hummel

Keywords: TYPO3 CMS, Cross-Site Scripting

It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting

Component Type: TYPO3 CMS

Release Date: February 16, 2016

Vulnerable subcomponent: legacy form component

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 6.2.0 to 6.2.17

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to sanitize content from editors, the legacy form
component is susceptible to Cross-Site Scripting. A valid editor account with
access to a form content element is required to exploit this vulnerability.

Solution: Update to TYPO3 version 6.2.18 that fixes the problem described.

Credits: Thanks to Georg Ringer who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 
Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can 
easily look them up on our review system.

- -------------------------------------------------------------------------------

TYPO3-CORE-SA-2016-004: Cross-Site Scripting in form component

February 16, 2016

Category: TYPO3 CMS

Author: Helmut Hummel

It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting

Component Type: TYPO3 CMS

Release Date: February 16, 2016

Vulnerable subcomponent: form component

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 6.2.0 to 6.2.17

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to sanitize content from unauthenticated website
visitors, the form component is susceptible to Cross-Site Scripting.

Solution: Update to TYPO3 version 6.2.18 that fixes the problem described.

Credits: Thanks to David Vieira-Kurz who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 
Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can 
easily look them up on our review system.

- -------------------------------------------------------------------------------

TYPO3-CORE-SA-2016-005: XML External Entity (XXE) Processing in TYPO3 Core

February 23, 2016

Category: TYPO3 CMS

Author: Nicole Cordes

It has been discovered, that TYPO3 is susceptible to XML External Entity 
Processing

Component Type: TYPO3 CMS

Release Date: February 23, 2016

Vulnerable subcomponent: TYPO3 CMS

Vulnerability Type: XML External Entity Processing

Affected Versions: Versions 6.2.0 to 6.2.18 and 7.6.0 to 7.6.3

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:P/RL:O/RC:C

CVE: not assigned yet

Problem Description: All XML processing within the TYPO3 CMS are vulnerable to
XEE processing. This can lead to load internal and/or external (file) content
within an XML structure. Furthermore it is possible to inject arbitrary files
for an XML Denial of Service attack. For more information on that topic see 
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing.

Solution: Update to TYPO3 versions 6.2.19 or 7.6.4 that fix the problem 
described.

Important Note: Systems using a PHP version with libxml2 >= 2.9 should be 
protected by default. Since version 2.9 the library changed its behavior to 
disallow external entity processing by default.

Credits: Thanks to security team member Marcus Krause who discovered and 
reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 
Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can 
easily look them up on our review system.

- -------------------------------------------------------------------------------

TYPO3-CORE-SA-2016-006: Cross-Site Scripting in TYPO3 component Backend

February 23, 2016

Category: TYPO3 CMS

Author: Nicole Cordes

It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting.

Component Type: TYPO3 CMS

Release Date: February 23, 2016

Vulnerable subcomponent: Backend

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 6.2.0 to 6.2.18

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:P/E:P/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to properly encode incoming data, the bookmark 
toolbar is susceptible to Cross-Site Scripting.

Solution: Update to TYPO3 version 6.2.19 that fixes the problem described.

Credits: Thanks to Filipe Reis who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 
Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can 
easily look them up on our review system.

- -------------------------------------------------------------------------------
TYPO3-CORE-SA-2016-007: Cross-Site Scripting in TYPO3 component CSS styled 
content

February 23, 2016

Category: TYPO3 CMS

Author: Nicole Cordes

It has been discovered, that TYPO3 is susceptible to Cross-Site Scripting.

Component Type: TYPO3 CMS

Release Date: February 23, 2016

Vulnerable subcomponent: CSS styled content

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 6.2.0 to 6.2.18 and 7.6.0 to 7.6.3

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:P/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to properly encode user input, the CSS styled 
content component is susceptible to Cross-Site Scripting, allowing 
authenticated editors to inject arbitrary HTML or JavaScript.

Solution: Update to TYPO3 versions 6.2.19 or 7.6.4 that fix the problem 
described.

Credits: Thanks to Jakub Galczyk who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 
Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can 
easily look them up on our review system.

- -------------------------------------------------------------------------------
TYPO3-CORE-SA-2016-008: Denial of Service attack possibility in TYPO3 
component Indexed Search

February 23, 2016

Category: TYPO3 CMS

Author: Nicole Cordes

It has been discovered, that TYPO3 is susceptible to a Denial of Service 
attack.

Component Type: TYPO3 CMS

Release Date: February 23, 2016

Vulnerable subcomponent: Indexed Search

Vulnerability Type: Denial of Service attack

Affected Versions: Versions 6.2.0 to 6.2.18 and 7.6.0 to 7.6.3

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C

CVE: not assigned yet

Problem Description: Due to an oversized maximum result limit, TYPO3 component
Indexed Search is susceptible to a Denial of Service attack.

Solution: Update to TYPO3 versions 6.2.19 or 7.6.4 that fix the problem 
described.

Credits: Thanks to Jonas Felix who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 
Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can 
easily look them up on our review system.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVs0IkH6ZAP0PgtI9AQLO0A/+J6LyZ8q+aG+LZcpf2XkrGuH2yBGkR+sO
2d0oYDFYASnlIVulIq52FKijSz+1+RFC8UTOU4SXHn/TyF/i0qjEf8JwqRrmQUTU
S7BLKhqSBmIOj5yKYE21zWmyCIV3bvOfdHluiTr7tHMj6Asn+kMbS+9PBPTXLd37
CzT8D8JnbJvgDxis7zTpaIIvVrOhXWZRZbff9au9Iw3tXy+vDpUjFt/PcAuGpN+Y
idXFlFhY4yfBNOzDK9j3dqqQgeWsOasch5kxov7HgsbeBZN9JaYh6WDemCP9kXs4
KY1uStvRSH3pYNcvVCoEBEEJN4UCkJYzUcwR/yWqkTTN0O8OseUsx+HgLQYIcNQm
5KLzQ6phdN0d3GbGrTAtjhMepnV/SN2j1u0a7lr9UL9X8/uLQZ7kmaSDzWgTRPWX
f0kCQvy8JMtvLS9vJ1+vCBNcSTPArFjeDUdegG3UcDcj8W4rZ3j0E2tCyeBmGxst
jhkcPDzednnxSse2txPW7giTlNFnqA9E77G7zYVKCGJUIWKOjKdnj7h5Fb+6AJDI
hQamigN/MPY0C9s0ravYma3cnlGTyTpzWJZCrdFkgcKrBGLIaxgaunihT9cjtk5G
g8SPgruQUiWQvyR0IAQBxtOU7zP1wZ1a8f8Ip29F38sscs5tLCddohIvP0oeZjIF
M/6jmc4MlF4=
=4uUD
-----END PGP SIGNATURE-----