Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 11 Dec 2014 20:49:11 +0200
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Cc: TYPO3 Security Team <security@...o3.org>
Subject: CVE request: TYPO3-CORE-SA-2014-003

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi MITRE,

Can we get CVE for Link spoofing and cache poisoning vulnerabilities in TYPO3
CMS, thank you.

http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2014-003/

Copy paste from advisory below:

Vulnerability Type: Link Spoofing
Affected Versions: Versions 4.5.0 to 4.5.38, 4.6.0 to 4.6.18, 4.7.0 to 4.7.20,
6.0.0 to 6.0.14, 6.1.0 to 6.1.12 and 6.2.0 to 6.2.8, 7.0.0 to 7.0.1

Severity: Medium
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C

Problem Description: An attacker could forge a request, which modifies anchor
only links on the homepage of a TYPO3 installation in a way that they point to
arbitrary domains, if the configuration option config.prefixLocalAnchors is used
with any possible value. TYPO3 versions 4.6.x and higher are only affected if
the homepage is not a shortcut to a different page. AS an additional
pre-condition URL rewriting must be enabled in the web server, which typically
is, when using extensions like realurl or cooluri.

Installation where config.absRefPrefix is additionally set to any value are not
affected by this vulnerability.

Example of affected configuration:

TypoScript:

config.absRefPrefix =
config.prefixLocalAnchors = all 
page = PAGE 
page.10 = TEXT 
page.10.value = <a href="#skiplinks">Skiplinks</a> 

.htaccess:

RewriteCond %{REQUEST_FILENAME} !-f 
RewriteCond %{REQUEST_FILENAME} !-d 
RewriteCond %{REQUEST_FILENAME} !-l 
RewriteRule .* index.php [L] 

Solution: Set config.absRefPrefix to a value fitting your installation

or

Solution: Update to TYPO3 versions 4.5.39, 6.2.9 or 7.0.2 that fix the problem
described.

Important Note: Since the changes provided with the TYPO3 update change the way
the prefix for local anchors is generated, there might be cases where the update
breaks functionality. The impact of the breakage is that the page is reloaded in
the browser when a user follows a link where previously the browser only jumped
to a certain section of the current page.

Credits: Thanks to Gernot Leitgab who discovered and reported the vulnerability.


Vulnerability Type: Cache Poisoning
Affected Versions: Versions 4.5.0 to 4.5.38, 4.6.0 to 4.6.18, 4.7.0 to 4.7.20,
6.0.0 to 6.0.14, 6.1.0 to 6.1.12 and 6.2.0 to 6.2.8, 7.0.0 to 7.0.1

Severity: Low
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C

Problem Description: A request URL with arbitrary arguments, but still pointing
to the home page of  a TYPO3 installation can be cached if the configuration
option config.prefixLocalAnchors is used with the values "all" or "cached". The
impact of this vulnerability is that unfamiliar looking links to the home page
can end up in the cache, which leads to a reload of the page in the browser when
section links are followed by web page visitors, instead of just directly
jumping to the requested section of the page. TYPO3 versions 4.6.x and higher
are only affected if the homepage is not a shortcut to a different page.

Solution: Removing the configuration options config.prefixLocalAnchors (and
optionally also config.baseUrl) in favor of config.absRefPrefix

Credits: Thanks to Gernot Leitgab who discovered and reported the vulnerability. 

- -- 
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlSJ5ycACgkQXf6hBi6kbk91AACgq2InRYd9nD3PFD58Sel1UXV1
sisAoM8krOev+0f/Og0u43sFuTMZsffI
=oa+e
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.