Your message dated Sun, 29 Aug 2010 13:52:39 +0000
with message-id <e1opijl-00086x...@franck.debian.org>
and subject line Bug#590719: fixed in typo3-src 4.2.5-1+lenny4
has caused the Debian Bug report #590719,
regarding TYPO3 Security Bulletin TYPO3-SA-2010-012: Multiple vulnerabilities
in TYPO3 Core
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
590719: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590719
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: typo3-src
Version: 4.2.5-1+lenny3
Severity: critical
Tags: security
Vulnerability Types: Cross-Site Scripting (XSS), Open Redirection, SQL
Injection, Broken Authentication and Session Management, Insecure
Randomness, Information Disclosure, Arbitrary Code Execution
Vulnerable subcomponent #1: Backend
Vulnerability Type: Cross-Site Scripting
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C Problem
Description: Failing to sanitize user input the TYPO3 backend is
susceptible to XSS attacks in several places. A valid backend login is
required to exploit these vulnerabilities.
Vulnerability Type: Open Redirection
Severity: High
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C Problem
Description: Failing to sanitize user input the TYPO3 backend is
susceptible to open redirection in several places.
Vulnerability Type: SQL Injection
Severity: High
Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C Problem
Description: Failing to properly escape user input for a database query,
some backend record editing forms are susceptible to SQL injections.
This is only exploitable by an editor who have the right to edit records
which have a special "where" query definition in TCA or records which
use the auto suggest feature available in TYPO3 versions 4.3 or higher.
Vulnerability Type: Arbitrary Code Execution
Severity: None/High (Depending on the webserver configuration)
Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:C/I:C/A:N/E:POC/RL:OF/RC:C Problem
Description: Because of a not sufficiently secure default value of the
TYPO3 configuration variable fileDenyPattern allows backend users to
upload files with .phtml file extension which may be executed as PHP
with certain webserver setups. The new default value for the
fileDenyPattern now is: \.(php[3-6]?|phpsh|phtml)(\..*)?$|^\.htaccess$
Vulnerability Type: Information Disclosure
Severity: Low
Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C
Problem Description: If an extension with a defective backend module is
installed, TYPO3 will issue a error message which reveals the complete
path to the web root.
Vulnerability Type: Information Disclosure/ Cross-Site Scripting
Severity: Low
Suggested CVSS v2.0: AV:N/AC:H/Au:M/C:C/I:C/A:C/E:U/RL:OF/RC:C
Problem Description: Failing to properly validate and escape user input,
the Extension Manager is susceptible to XSS. Additionally by forging a
special request parameter it is possible to view (and edit under special
conditions) the contents of every file the webserver has access to. A
valid admin user login is requred to exploit this vulnerability.
Vulnerable subcomponent #2: User authentication
Vulnerability Type: Insecure Randomness
Severity: Very Low
Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C
Problem Description: As a precaution to PHP's weak randomness in the
uniqid() function, the random byte generation function
t3lib_div::generateRandomBytes() has been vastly improved, especially
for Windows systems. In addition TYPO3 now uses this function to
generate a session id for frontend and backend authentication instead of
PHP's uniqid().
Note: Nevertheless the probability of guessing the session id was very
low even before this improvement.
Vulnerable subcomponent #3: Frontend
Vulnerability Type: Spam Abuse
Severity: High
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:N/A:N/E:POC/RL:OF/RC:C
Problem Description: Failing to check the for valid parameters, the
native form content element is susceptible to spam abuse. An attacker
could abuse the form to send mails to arbitrary email addresses.
Vulnerability Type: Header Injection
Severity: Low/High (depending on the PHP version used)
Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C
Problem Description: Failing to sanitize user input, secure download
feature (jumpurl) of TYPO3 is susceptible to header injection /
manipulation.
Note: Since PHP versions 4.4.2 or higher and 5.1.2 or higher it is no
longer possible to send more than one header at once. This mitigates the
impact of this vulnerability, making it only possible to spoof the mime
type of the download.
Vulnerable subcomponent #4: Frontend Login
Vulnerability Type: Open Redirection, Cross-Site Scripting
Severity: High
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C
Problem Description: Failing to sanitize user input the frontend login
box is susceptible to Open Redirection and Cross-Site scripting.
Vulnerability Type: Insecure Randomness
Severity: High
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C
Problem Description: The "forgot password" function generates a hash
which is verified to authenticate the password change request. Because
of very low randomness while generating the hash, especially on Windows
systems, brute forcing the hash value is possible in a short timeframe.
Vulnerable subcomponent #5: Install Tool
Vulnerability Type: Broken Authentication and Session Management
Severity: Low
Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:C/I:C/A:N/E:POC/RL:OF/RC:C
Problem Description: TYPO3 authenticates install tool users without
invalidating a supplied session identifier. Therefore, TYPO3 is open for
session fixation attacks, making an attacker able to hijack a victim's
session.
Vulnerable subcomponent #6: FLUID Templating Engine
Vulnerability Type: Cross-Site Scripting
Severity: Low
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C
Problem Description: Failing to escape the output, using the textarea
view helper in an extbase extension leads to a XSS vulnerability if the
extension author does not take care of escaping the output.
Vulnerable subcomponent #7: Mailing API
Vulnerability Type: Information Disclosure
Severity: Very Low
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C
Problem Description: The TYPO3 HTML mailing API class t3lib_htmlmail
includes the exact version number of the TYPO3 installation in the mail
header.
--
MfG, Christian Welzel
GPG-Key: http://www.camlann.de/de/pgpkey.html
Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15
--- End Message ---
--- Begin Message ---
Source: typo3-src
Source-Version: 4.2.5-1+lenny4
We believe that the bug you reported is fixed in the latest version of
typo3-src, which is due to be installed in the Debian FTP archive:
typo3-src-4.2_4.2.5-1+lenny4_all.deb
to main/t/typo3-src/typo3-src-4.2_4.2.5-1+lenny4_all.deb
typo3-src_4.2.5-1+lenny4.diff.gz
to main/t/typo3-src/typo3-src_4.2.5-1+lenny4.diff.gz
typo3-src_4.2.5-1+lenny4.dsc
to main/t/typo3-src/typo3-src_4.2.5-1+lenny4.dsc
typo3_4.2.5-1+lenny4_all.deb
to main/t/typo3-src/typo3_4.2.5-1+lenny4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 590...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Welzel <gaw...@camlann.de> (supplier of updated typo3-src package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 06 Aug 2010 23:30:00 +0200
Source: typo3-src
Binary: typo3 typo3-src-4.2
Architecture: source all
Version: 4.2.5-1+lenny4
Distribution: stable-security
Urgency: high
Maintainer: Christian Welzel <gaw...@camlann.de>
Changed-By: Christian Welzel <gaw...@camlann.de>
Description:
typo3 - Powerful content management framework (Meta package)
typo3-src-4.2 - Powerful content management framework (Core)
Closes: 590719
Changes:
typo3-src (4.2.5-1+lenny4) stable-security; urgency=high
.
* Added patches (backported from 4.2.13 and 4.2.14) to fix the security
issues
from "TYPO3-SA-2010-012: Multiple vulnerabilities in TYPO3 Core"
(Closes: 590719).
Checksums-Sha1:
a3032612c530669e6a9ece4702628e266d44f06d 1008 typo3-src_4.2.5-1+lenny4.dsc
f3dd7c5cba0933abe098d9929a2e0c1ac27af500 146540
typo3-src_4.2.5-1+lenny4.diff.gz
ae57fc3ddb5df70656d4aad852aa82cc425e6891 133958 typo3_4.2.5-1+lenny4_all.deb
7eba0e4cd3d86291440cd47c7f6de040b3566388 8192390
typo3-src-4.2_4.2.5-1+lenny4_all.deb
Checksums-Sha256:
2c3889a09aea55723311ecf55e02db017b7e99ca45f6e80dc0823c4cdf5757f4 1008
typo3-src_4.2.5-1+lenny4.dsc
f22cc758d7d0e727bbbde1580150a7d12d1b55ebd31a4890fd272e26d8969373 146540
typo3-src_4.2.5-1+lenny4.diff.gz
a61c356a3c1fc7e0dbab7bbf6181467071aa31b69ffe92918345ed96df54bfe8 133958
typo3_4.2.5-1+lenny4_all.deb
d1e01069f3562bbcff960dde00606b0de7ecfb02d03195f6322c657c6ba280ea 8192390
typo3-src-4.2_4.2.5-1+lenny4_all.deb
Files:
018342ba199d8f866382b6791a617831 1008 web optional typo3-src_4.2.5-1+lenny4.dsc
9a2b90a47fd6373863cf43cecbbb53ee 146540 web optional
typo3-src_4.2.5-1+lenny4.diff.gz
4ec08c57f0dc4abb1681e98f403d81de 133958 web optional
typo3_4.2.5-1+lenny4_all.deb
88cd8939bd4d1c5aad5aa0aa986f8855 8192390 web optional
typo3-src-4.2_4.2.5-1+lenny4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFMd98tUHLQNqxYNSARAuqXAJ9pfey+FDskqXBdalBAOUbRMC6xvQCgqlyj
axZHxcI0Glt3SuIKKyamZAU=
=RaZe
-----END PGP SIGNATURE-----
--- End Message ---
