Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 7 Sep 2013 11:14:45 +0300
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Cc: security@...o3.org
Subject: CVE request: TYPO3-CORE-SA-2013-003

Could you assign two 2013 CVE identifiers for following issues, thanks. We have
agreed with Helmut Hummel that I'm requesting TYPO3 CVEs in the future using
private method from:
http://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html

http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-003

Component Type: TYPO3 Core
Vulnerability Types: Cross-Site Scripting, Remote Code Execution
Overall Severity: Critical
Release Date: September 4, 2013

#1 CVE-2013-XXXX

Vulnerable subcomponent: File handling / File Abstraction Layer
Vulnerability Type: Incomplete Access Management
Affected Versions: All versions from 6.0.0 up to the development branch of 6.2
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C

Problem Description: TYPO3 comes with the possibility to restrict editors to
certain file actions (copy, delete, move etc.) and to restrict these actions to
be performed in certain locations (file mounts). This permission handling was
only partly implemented with the introduction of the File Abstraction Layer
(FAL). The file action permissions that can be set in backend user and group
records were not respected and users could break out of file mounts by crafting
URLs. Thus, unprivileged users could create or read arbitrary files within or
outside the document root.

Solution: Update to the TYPO3 version 6.0.9, 6.1.4 or the latest development
version! It is important to clear all caches (clear cache all in the backend or
deleting the complete typo3temp/Cache directory) for the changes to take effect
after the TYPO3 source files have been updated!

Notes: Administrators are advised to set file permissions for backend users or
groups by using user TS Config instead of using the file permission check boxes
in the user or group records. This allows more fine grained control for single
file action permissions. Examples in the advisory.

Credits: Credits go to Sebastian Nerz who discovered and reported the issues,
Steffen Ritter and Helmut Hummel for creating the fixes and Anja Leichsenring,
Susanne Moog, Michiel Roos, Sascha Egerer and Ernesto Baschny for testing.

#2 CVE-2013-XXXX

Vulnerable subcomponent: File Abstraction Layer
Vulnerability Type: Remote Code Execution
Affected Versions: All versions from 6.0.0 up to the development branch of 6.2
Severity: Critical
Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:O/RC:C

Problem Description: The check for denied file extensions implemented in the
File Abstraction Layer as mentioned in advisory TYPO3-CORE-SA-2013-002 was
incomplete. It was still possible for editors to rename files to have denied
file extensions by inserting special characters that were removed at a later
point. This (again) allowed authenticated editors to forge php files with
arbitrary code, which can then be executed in web server's context.

Solution: Update to the TYPO3 version 6.0.9, 6.1.4 or the latest development
version!

Credits: Credits go to Sascha Egerer who discovered and reported the issue. 

---
Henri Salo

Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.