Date: Tue, 3 Jun 2014 00:43:18 -0400 (EDT) From: cve-assign@...re.org To: jmm@...ian.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE ID request: typo3 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2014-001/ > Failing to properly validate the HTTP host-header TYPO3 CMS is > susceptible to host spoofing. Use CVE-2014-3941. (It is possible that, with more information, multiple CVE IDs may have been assigned. In CVE, missing input validation is often not considered a single type of vulnerability, e.g., failure to recognize that a parameter must be an integer could lead to both XSS and SQL injection, and two CVE IDs would be assigned. Here, however, there is no statement of which of (or how many of) the concerns in http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html is the motivation for treating the missing input validation as a vulnerability. Thus, only one CVE ID makes sense. Note that "reported a particular exploit possibility" suggests that there is at least one motivation. If TYPO3 CORE were unaffected, and the change were made solely to address a theoretical possibility that an extension could misuse the _SERVER["HTTP_HOST"] value, then a CVE ID may not have been assigned.) > Vulnerable subcomponent: Color Picker Wizard > Vulnerability Type: Insecure Unserialize Use CVE-2014-3942. > Vulnerable subcomponent: Backend > Vulnerability Type: Cross-Site Scripting Use CVE-2014-3943. > Vulnerable subcomponent: ExtJS > Vulnerability Type: Cross-Site Scripting > delete the file typo3/contrib/extjs/resources/charts.swf It seems likely that this is a copy of some version of the YUI charts.swf file. If so, this issue can be mapped to an existing CVE such as CVE-2010-4207 or CVE-2012-5881. Going further, it seems plausible that different versions of TYPO3 might incorporate different versions of ExtJS, and different versions of ExtJS might incorporate charts.swf from different versions of YUI. Although we would like to offer a precise CVE mapping, at this point it seems reasonable to map the "Vulnerable subcomponent: ExtJS" part of TYPO3-CORE-SA-2014-001 to both CVE-2010-4207 and CVE-2012-5881. > Vulnerable subcomponent: Authentication > Vulnerability Type: Improper Session Invalidation Use CVE-2014-3944. > Vulnerable subcomponent: Authentication > Vulnerability Type: Authentication Bypass > Affected Versions: All TYPO3 versions not configured to use salted passwords Use CVE-2014-3945. This CVE ID is for the CWE-836 issue, i.e., the "can be used directly to authenticate" statement in the Security Bulletin. There is no CVE ID assigned for either of the CWE-759 issues, i.e., - salting is not the default before 4.6 - salting is not mandatory before 6.2 Those are considered security improvements, because the vendor is not specifically making an announcement that they are vulnerability fixes (or, at least, that announcement isn't in the TYPO3-CORE-SA-2014-001 Security Bulletin). > Vulnerable subcomponent: Extbase Framework > Vulnerability Type: Information Disclosure > Failing to respect user groups of logged in users when caching queries Use CVE-2014-3946. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTjVITAAoJEKllVAevmvms7VEIAKul/Mi9Q3Wdl3GHpsrxv3h+ /ClT454GclowvIgUdfkd6jLK13diEGE43qiQ2DZ8oSBG3MnTscMKHJaLa2Tk8onF xX1g5DAYBTSsyoZnmVbcaP0/BFbVdtM6tcua77rKmR0XAQRBIlGO33RASIFxl6tm VYpH5f/UDW5nJABEOjV3KwJilPwiVikMQyVCEYKzm0wipmRt+j6TffGsZDP+rsB8 yA3Ymrmqk6fJ2SC1sTcP6XFiDb7pvE+7s+yPcha0JopjpGwOnU0P3XHG81RT5Iv7 Qpje047P/v/8QX5Ri5ZQyCl8i2CsBDMgsNbkYIzkusm9wgGPwFpYLT5Vt7oiyyE= =58uw -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ