Date: Tue, 17 Apr 2012 23:02:38 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Henri Salo <henri@...v.fi>, "security@...o3.org" <security@...o3.org> Subject: Re: CVE-request: TYPO3-CORE-SA-2012-002 XSS in TYPO3 Core -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/17/2012 05:54 AM, Henri Salo wrote: > Hello, > > Marcus KrauseMember from the TYPO3 Security Team said they did not > yet request CVE-identifier for this vulnerability released today so > here we go. > > Announce of XSS: > http://lists.typo3.org/pipermail/typo3-announce/2012/000241.html > Announce of new versions: > http://lists.typo3.org/pipermail/typo3-announce/2012/000242.html > Advisory: > http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-002/ > > Component Type: TYPO3 Core Affected Versions: 4.4.0 up to 4.4.14, > 4.5.0 up to 4.5.14, 4.6.0 up to 4.6.7 and development releases of > the 4.7 branch. > > Problem Description: Failing to properly encode the output, the > default TYPO3 Exception Handler is susceptible to Cross-Site > Scripting. We are not aware of a possibilty to exploit this > vulnerability without third party extensions being installed that > put user input in exception messages. However it has come to our > attention that extensions using the extbase MVC framework can be > used to exploit this vulnerability if these extensions accept > objects in controller actions. In general and especially when in > doubt if the above conditions are met, we highly recommend users of > affected versions to update as soon as possible. Imortant Note: In > case you have configured your own exception handler for TYPO3 you > need to make sure that the exception messages are properly encoded > within this exception handler before they are presented. > > Solution: Update to the TYPO3 versions 4.4.15, 4.5.15 or 4.6.8 that > fix the problem described! Credits: Credits go to Security Team > Member Helmut Hummel who discovered and reported the issue. > > - Henri Salo Please use CVE-2012-2112 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPjkruAAoJEBYNRVNeJnmTVQEP/3W9irSBzZzZ8gWN4OnDXyXt PRitXlhSqb81skYWVJZu6sG78cN0qqJB1NOyhI5yaeUb/OnmfuJl7ZTrxau/ZLTi aRvYJWD0g0wJlSSaRpQCpgOC6besSYx3nsupvFNW5aEUVYQG3J+HXfQX2AeuFaKa 7ikw0So6xVBpfpTJ9JEd9ClxVMv8F88Gb9p3vWSQvzFETQ2HpUd+sb6LfPvQ6xs6 +wJWB7pP0coWHFTD/rTY3r6H1yRP9I0/Cx24ng+VYYhgSpif4aJBALxsRpOLZkq+ /eOg2rYnhSEeYJlbKOKhVaGmMICEkQdC05Y/mGVDkdglLbtYCO/64gEyhqpgm844 ANZE36oPVuxY8xpwcqZz3uku/8WJKD5ww5B8QaeuRXHj1/lp959lmRi+aSlb16Rj PJwNDEfl0JkM5AnkRpE+uCVMOx2rBgAZn+j/miUWrKVIrsyUdDK5Q4XBR99LlINn PZ37rTLSHFvW0qrmGWIhIE/Z6/jMqTyWyngT50jm3DkYbeoYk2h7fBZF+jm9nyyZ nEWrWnsJqTWqT9QRUd9/ALpwTV9x21OWnnOPS9sEbYUZkFTH0GXQo6CtZWmU073A OePNIIUiz4OgYuEz8nqGfkew7xPNXQ4PX3/JPAit1fhqCHGGnB62+njq5tkZFlKk aaE09mp8s2d1Q0F+ejP7 =9+d5 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ