Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 3 Jun 2014 00:43:18 -0400 (EDT)
From: cve-assign@...re.org
To: jmm@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE ID request: typo3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2014-001/

> Failing to properly validate the HTTP host-header TYPO3 CMS is
> susceptible to host spoofing.

Use CVE-2014-3941.

(It is possible that, with more information, multiple CVE IDs may have
been assigned. In CVE, missing input validation is often not
considered a single type of vulnerability, e.g., failure to recognize
that a parameter must be an integer could lead to both XSS and SQL
injection, and two CVE IDs would be assigned. Here, however, there is
no statement of which of (or how many of) the concerns in
http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
is the motivation for treating the missing input validation as a
vulnerability. Thus, only one CVE ID makes sense. Note that "reported a
particular exploit possibility" suggests that there is at least one
motivation. If TYPO3 CORE were unaffected, and the change were made
solely to address a theoretical possibility that an extension could
misuse the _SERVER["HTTP_HOST"] value, then a CVE ID may not have been
assigned.)


> Vulnerable subcomponent: Color Picker Wizard
> Vulnerability Type: Insecure Unserialize

Use CVE-2014-3942.


> Vulnerable subcomponent: Backend
> Vulnerability Type: Cross-Site Scripting

Use CVE-2014-3943.


> Vulnerable subcomponent: ExtJS
> Vulnerability Type: Cross-Site Scripting
> delete the file typo3/contrib/extjs/resources/charts.swf

It seems likely that this is a copy of some version of the YUI
charts.swf file. If so, this issue can be mapped to an existing CVE
such as CVE-2010-4207 or CVE-2012-5881. Going further, it seems
plausible that different versions of TYPO3 might incorporate different
versions of ExtJS, and different versions of ExtJS might incorporate
charts.swf from different versions of YUI. Although we would like to
offer a precise CVE mapping, at this point it seems reasonable to map
the "Vulnerable subcomponent: ExtJS" part of TYPO3-CORE-SA-2014-001 to
both CVE-2010-4207 and CVE-2012-5881.


> Vulnerable subcomponent: Authentication
> Vulnerability Type: Improper Session Invalidation

Use CVE-2014-3944.


> Vulnerable subcomponent: Authentication
> Vulnerability Type: Authentication Bypass
> Affected Versions: All TYPO3 versions not configured to use salted passwords

Use CVE-2014-3945.

This CVE ID is for the CWE-836 issue, i.e., the "can be used directly
to authenticate" statement in the Security Bulletin. There is no CVE
ID assigned for either of the CWE-759 issues, i.e.,

  - salting is not the default before 4.6
  - salting is not mandatory before 6.2

Those are considered security improvements, because the vendor is not
specifically making an announcement that they are vulnerability fixes
(or, at least, that announcement isn't in the TYPO3-CORE-SA-2014-001
Security Bulletin).


> Vulnerable subcomponent: Extbase Framework
> Vulnerability Type: Information Disclosure
> Failing to respect user groups of logged in users when caching queries

Use CVE-2014-3946.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTjVITAAoJEKllVAevmvms7VEIAKul/Mi9Q3Wdl3GHpsrxv3h+
/ClT454GclowvIgUdfkd6jLK13diEGE43qiQ2DZ8oSBG3MnTscMKHJaLa2Tk8onF
xX1g5DAYBTSsyoZnmVbcaP0/BFbVdtM6tcua77rKmR0XAQRBIlGO33RASIFxl6tm
VYpH5f/UDW5nJABEOjV3KwJilPwiVikMQyVCEYKzm0wipmRt+j6TffGsZDP+rsB8
yA3Ymrmqk6fJ2SC1sTcP6XFiDb7pvE+7s+yPcha0JopjpGwOnU0P3XHG81RT5Iv7
Qpje047P/v/8QX5Ri5ZQyCl8i2CsBDMgsNbkYIzkusm9wgGPwFpYLT5Vt7oiyyE=
=58uw
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ