Package: typo3-src Version: 4.2.5-1+lenny3 Severity: critical Tags: security
Vulnerability Types: Cross-Site Scripting (XSS), Open Redirection, SQL Injection, Broken Authentication and Session Management, Insecure Randomness, Information Disclosure, Arbitrary Code Execution Vulnerable subcomponent #1: Backend Vulnerability Type: Cross-Site Scripting Severity: Medium Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C Problem Description: Failing to sanitize user input the TYPO3 backend is susceptible to XSS attacks in several places. A valid backend login is required to exploit these vulnerabilities. Vulnerability Type: Open Redirection Severity: High Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C Problem Description: Failing to sanitize user input the TYPO3 backend is susceptible to open redirection in several places. Vulnerability Type: SQL Injection Severity: High Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C Problem Description: Failing to properly escape user input for a database query, some backend record editing forms are susceptible to SQL injections. This is only exploitable by an editor who have the right to edit records which have a special "where" query definition in TCA or records which use the auto suggest feature available in TYPO3 versions 4.3 or higher. Vulnerability Type: Arbitrary Code Execution Severity: None/High (Depending on the webserver configuration) Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:C/I:C/A:N/E:POC/RL:OF/RC:C Problem Description: Because of a not sufficiently secure default value of the TYPO3 configuration variable fileDenyPattern allows backend users to upload files with .phtml file extension which may be executed as PHP with certain webserver setups. The new default value for the fileDenyPattern now is: \.(php[3-6]?|phpsh|phtml)(\..*)?$|^\.htaccess$ Vulnerability Type: Information Disclosure Severity: Low Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C Problem Description: If an extension with a defective backend module is installed, TYPO3 will issue a error message which reveals the complete path to the web root. Vulnerability Type: Information Disclosure/ Cross-Site Scripting Severity: Low Suggested CVSS v2.0: AV:N/AC:H/Au:M/C:C/I:C/A:C/E:U/RL:OF/RC:C Problem Description: Failing to properly validate and escape user input, the Extension Manager is susceptible to XSS. Additionally by forging a special request parameter it is possible to view (and edit under special conditions) the contents of every file the webserver has access to. A valid admin user login is requred to exploit this vulnerability. Vulnerable subcomponent #2: User authentication Vulnerability Type: Insecure Randomness Severity: Very Low Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C Problem Description: As a precaution to PHP's weak randomness in the uniqid() function, the random byte generation function t3lib_div::generateRandomBytes() has been vastly improved, especially for Windows systems. In addition TYPO3 now uses this function to generate a session id for frontend and backend authentication instead of PHP's uniqid(). Note: Nevertheless the probability of guessing the session id was very low even before this improvement. Vulnerable subcomponent #3: Frontend Vulnerability Type: Spam Abuse Severity: High Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:N/A:N/E:POC/RL:OF/RC:C Problem Description: Failing to check the for valid parameters, the native form content element is susceptible to spam abuse. An attacker could abuse the form to send mails to arbitrary email addresses. Vulnerability Type: Header Injection Severity: Low/High (depending on the PHP version used) Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C Problem Description: Failing to sanitize user input, secure download feature (jumpurl) of TYPO3 is susceptible to header injection / manipulation. Note: Since PHP versions 4.4.2 or higher and 5.1.2 or higher it is no longer possible to send more than one header at once. This mitigates the impact of this vulnerability, making it only possible to spoof the mime type of the download. Vulnerable subcomponent #4: Frontend Login Vulnerability Type: Open Redirection, Cross-Site Scripting Severity: High Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C Problem Description: Failing to sanitize user input the frontend login box is susceptible to Open Redirection and Cross-Site scripting. Vulnerability Type: Insecure Randomness Severity: High Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C Problem Description: The "forgot password" function generates a hash which is verified to authenticate the password change request. Because of very low randomness while generating the hash, especially on Windows systems, brute forcing the hash value is possible in a short timeframe. Vulnerable subcomponent #5: Install Tool Vulnerability Type: Broken Authentication and Session Management Severity: Low Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:C/I:C/A:N/E:POC/RL:OF/RC:C Problem Description: TYPO3 authenticates install tool users without invalidating a supplied session identifier. Therefore, TYPO3 is open for session fixation attacks, making an attacker able to hijack a victim's session. Vulnerable subcomponent #6: FLUID Templating Engine Vulnerability Type: Cross-Site Scripting Severity: Low Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C Problem Description: Failing to escape the output, using the textarea view helper in an extbase extension leads to a XSS vulnerability if the extension author does not take care of escaping the output. Vulnerable subcomponent #7: Mailing API Vulnerability Type: Information Disclosure Severity: Very Low Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C Problem Description: The TYPO3 HTML mailing API class t3lib_htmlmail includes the exact version number of the TYPO3 installation in the mail header. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org