Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 17 Apr 2012 23:02:38 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Henri Salo <henri@...v.fi>, "security@...o3.org" <security@...o3.org>
Subject: Re: CVE-request: TYPO3-CORE-SA-2012-002 XSS in TYPO3
 Core

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/17/2012 05:54 AM, Henri Salo wrote:
> Hello,
> 
> Marcus KrauseMember from the TYPO3 Security Team said they did not
> yet request CVE-identifier for this vulnerability released today so
> here we go.
> 
> Announce of XSS:
> http://lists.typo3.org/pipermail/typo3-announce/2012/000241.html 
> Announce of new versions:
> http://lists.typo3.org/pipermail/typo3-announce/2012/000242.html 
> Advisory:
> http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-002/
>
>  Component Type: TYPO3 Core Affected Versions: 4.4.0 up to 4.4.14,
> 4.5.0 up to 4.5.14, 4.6.0 up to 4.6.7 and development releases of
> the 4.7 branch.
> 
> Problem Description: Failing to properly encode the output, the
> default TYPO3 Exception Handler is susceptible to Cross-Site
> Scripting. We are not aware of a possibilty to exploit this
> vulnerability without third party extensions being installed that
> put user input in exception messages. However it has come to our
> attention that extensions using the extbase MVC framework can be
> used to exploit this vulnerability if these extensions accept
> objects in controller actions. In general and especially when in
> doubt if the above conditions are met, we highly recommend users of
> affected versions to update as soon as possible. Imortant Note: In
> case you have configured your own exception handler for TYPO3 you
> need to make sure that the exception messages are properly encoded
> within this exception handler before they are presented.
> 
> Solution: Update to the TYPO3 versions 4.4.15, 4.5.15 or 4.6.8 that
> fix the problem described! Credits: Credits go to Security Team
> Member Helmut Hummel who discovered and reported the issue.
> 
> - Henri Salo

Please use CVE-2012-2112 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPjkruAAoJEBYNRVNeJnmTVQEP/3W9irSBzZzZ8gWN4OnDXyXt
PRitXlhSqb81skYWVJZu6sG78cN0qqJB1NOyhI5yaeUb/OnmfuJl7ZTrxau/ZLTi
aRvYJWD0g0wJlSSaRpQCpgOC6besSYx3nsupvFNW5aEUVYQG3J+HXfQX2AeuFaKa
7ikw0So6xVBpfpTJ9JEd9ClxVMv8F88Gb9p3vWSQvzFETQ2HpUd+sb6LfPvQ6xs6
+wJWB7pP0coWHFTD/rTY3r6H1yRP9I0/Cx24ng+VYYhgSpif4aJBALxsRpOLZkq+
/eOg2rYnhSEeYJlbKOKhVaGmMICEkQdC05Y/mGVDkdglLbtYCO/64gEyhqpgm844
ANZE36oPVuxY8xpwcqZz3uku/8WJKD5ww5B8QaeuRXHj1/lp959lmRi+aSlb16Rj
PJwNDEfl0JkM5AnkRpE+uCVMOx2rBgAZn+j/miUWrKVIrsyUdDK5Q4XBR99LlINn
PZ37rTLSHFvW0qrmGWIhIE/Z6/jMqTyWyngT50jm3DkYbeoYk2h7fBZF+jm9nyyZ
nEWrWnsJqTWqT9QRUd9/ALpwTV9x21OWnnOPS9sEbYUZkFTH0GXQo6CtZWmU073A
OePNIIUiz4OgYuEz8nqGfkew7xPNXQ4PX3/JPAit1fhqCHGGnB62+njq5tkZFlKk
aaE09mp8s2d1Q0F+ejP7
=9+d5
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ