Bug#702574: TYPO3-CORE-SA-2013-001: SQL Injection and Open Redirection in TYPO3 Core

Fri, 08 Mar 2013 07:03:16 -0800 

Package: typo3-src
Severity: critical
Tags: security

It has been discovered that TYPO3 Core is susceptible to SQL Injection
and Open Redirection


Component Type: TYPO3 Core

Affected Versions: 4.5.0 up to 4.5.23, 4.6.0 up to 4.6.16, 4.7.0 up to
4.7.8 and 6.0.0 up to 6.0.2
Vulnerability Types: SQL Injection, Open Redirection
Overall Severity: High
Release Date: March 6, 2013




Vulnerable subcomponent: Extbase Framework


Vulnerability Type: SQL Injection
Severity: Critical
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:C/I:C/A:N/E:H/RL:O/RC:C

Problem Description: Failing to sanitize user input, the Extbase
database abstraction layer is susceptible to SQL Injection. TYPO3 sites
which have no Extbase extensions installed are not affected. Extbase
extensions are affected if they use the Query Object Model and relation
values are user generated input. (e.g. :
$query->contains('model.categories', $userProvidedValue) )

Note: It has been reported to the TYPO3 Security Team that this problem
is known and exploited in the wild.



Vulnerable subcomponent: Access tracking mechanism


Vulnerability Type: Open Redirection
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:H/RL:O/RC:C

Problem Description: Failing to validate user provided input, the access
tracking mechanism allows redirects to arbitrary URLs.

Important Notes: To fix this vulnerability, we had to break existing
behaviour of TYPO3 sites that use the access tracking mechanism (jumpurl
feature) to transform links to external sites. The link generation has
been changed to include a hash that is checked before redirecting to an
external URL. This means that old links that have been distributed (e.g.
by a newsletter) will not work any more. If you are using the jumpurl
feature you need to do the following:
lookup more information on
http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-001/

-- 
 MfG, Christian Welzel

  GPG-Key:     http://www.camlann.de/de/pgpkey.html
  Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to