Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 26 May 2016 02:18:16 -0400 (EDT)
From: cve-assign@...re.org
To: stefan.horlacher@...us-security.ch
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE-Request: TYPO3 Extbase Missing Access Check

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013/
> TYPO3-CORE-SA-2016-013
> 
> Extbase request handling fails to implement a proper access check for
> requested controller/ action combinations, which makes it possible for
> an attacker to execute arbitrary Extbase actions by crafting a special
> request. To successfully exploit this vulnerability, an attacker must
> have access to at least one Extbase plugin or module action in a TYPO3
> installation. The missing access check inevitably leads to information
> disclosure or remote code execution, depending on the action that an
> attacker is able to execute.

> TYPO3 installations with at least one publicly available Extbase
> action, are exploitable without any further authentication.
> 
> TYPO3 installations without publicly available Extbase actions, are
> still exploitable for authenticated backend users with access to a
> backend module, which is based on Extbase.

Use CVE-2016-5091 for both of these installation scenarios. As far as
we can tell, the second scenario ("without publicly available") occurs
only because TYPO3 Core code (or a copy of TYPO3 Core code) exists in,
or is reachable by, a (supported or unsupported) backend module.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXRpTJAAoJEHb/MwWLVhi2vU8P/34LeiCcFMQRXakBpAKqBQv5
Vox2Wg1HJO0lkpbihKE3ixhvRawSJsT/5TKMqSdBJG5HWQblIOHW9S0JHAazfIge
ezxJDJObtDGo8jjUERgvDAsYGgT/ZZ15ApVnCJYaVNc1ZKgM9f1/V044O8+mE1WX
4B6thQZmmbpCK8KWBEwQ9uOxES0168tS4QQ6Iu2mst7vpXnak8RxU1wI8qawFo/7
ySqgNdX6mqAo0TXQ/mPJxkT9sa/Mf+7Hr7L4K8ukRG8OkVaQ74Py4noy+XKm6lV6
IvVN+ILFcu3XcPM98Civu8B6lRi61JGjC1VQwk1UP9mgqSQBrxTRWDQSBOUrvdEI
YviIMAMSGEXhEQfG+peTVNJmR0SJr5DBhYn9UY5gHiqqM8q6XMsH6jVrbOYSy/KQ
FVVc/9K32pPwG53A9lnNkNs6FFIKzLVDOGBS3zHU9YBprN6ulV1ApIWcWuQm+sZh
81z/CzQZSLV3ovNYagmJpXyOIRmcWkfpD9YtIPwcdZWk3IuuynswSUBKlT57Mu+F
4N3SmHtRAy40ZJA35KWvnCW2PwXV8CQx+EU9B8rGCVYcbGOxtG6BTElMS5fuBwsJ
luwySw1sbQgDaECk9JKjTtwBl558KZALjzDXRd3aLv1dq8q9vd93rMifeShSTIlQ
7Oi3kAkzjD1dNVXjhC12
=A6Qx
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ