Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 09 Sep 2013 14:04:02 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Henri Salo <henri@...v.fi>, security@...o3.org
Subject: Re: CVE request: TYPO3-CORE-SA-2013-003

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/07/2013 02:14 AM, Henri Salo wrote:
> Could you assign two 2013 CVE identifiers for following issues,
> thanks. We have agreed with Helmut Hummel that I'm requesting TYPO3
> CVEs in the future using private method from: 
> http://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html
>
>  
> http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-003
>
>  Component Type: TYPO3 Core Vulnerability Types: Cross-Site
> Scripting, Remote Code Execution Overall Severity: Critical Release
> Date: September 4, 2013
> 
> #1 CVE-2013-XXXX
> 
> Vulnerable subcomponent: File handling / File Abstraction Layer 
> Vulnerability Type: Incomplete Access Management Affected Versions:
> All versions from 6.0.0 up to the development branch of 6.2 
> Severity: Medium Suggested CVSS v2.0:
> AV:N/AC:L/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C
> 
> Problem Description: TYPO3 comes with the possibility to restrict
> editors to certain file actions (copy, delete, move etc.) and to
> restrict these actions to be performed in certain locations (file
> mounts). This permission handling was only partly implemented with
> the introduction of the File Abstraction Layer (FAL). The file
> action permissions that can be set in backend user and group 
> records were not respected and users could break out of file mounts
> by crafting URLs. Thus, unprivileged users could create or read
> arbitrary files within or outside the document root.
> 
> Solution: Update to the TYPO3 version 6.0.9, 6.1.4 or the latest
> development version! It is important to clear all caches (clear
> cache all in the backend or deleting the complete typo3temp/Cache
> directory) for the changes to take effect after the TYPO3 source
> files have been updated!
> 
> Notes: Administrators are advised to set file permissions for
> backend users or groups by using user TS Config instead of using
> the file permission check boxes in the user or group records. This
> allows more fine grained control for single file action
> permissions. Examples in the advisory.
> 
> Credits: Credits go to Sebastian Nerz who discovered and reported
> the issues, Steffen Ritter and Helmut Hummel for creating the fixes
> and Anja Leichsenring, Susanne Moog, Michiel Roos, Sascha Egerer
> and Ernesto Baschny for testing.

Please use CVE-2013-4320 for this issue.

> #2 CVE-2013-XXXX
> 
> Vulnerable subcomponent: File Abstraction Layer Vulnerability Type:
> Remote Code Execution Affected Versions: All versions from 6.0.0 up
> to the development branch of 6.2 Severity: Critical Suggested CVSS
> v2.0: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:O/RC:C
> 
> Problem Description: The check for denied file extensions
> implemented in the File Abstraction Layer as mentioned in advisory
> TYPO3-CORE-SA-2013-002 was incomplete. It was still possible for
> editors to rename files to have denied file extensions by inserting
> special characters that were removed at a later point. This (again)
> allowed authenticated editors to forge php files with arbitrary
> code, which can then be executed in web server's context.
> 
> Solution: Update to the TYPO3 version 6.0.9, 6.1.4 or the latest
> development version!

Please use CVE-2013-4321 for this issue.

> Credits: Credits go to Sascha Egerer who discovered and reported
> the issue.
> 
> --- Henri Salo
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSLimyAAoJEBYNRVNeJnmT/AYP/0nbRLS5HmLSdkGF1MIm147A
FbCKgzUyZd2/UOOE8n+upjTyz+BVHvi4pK6eDpuIWquyTZE1U/jw1+tlTHvuo4iR
gHhSmDBZf85pHYOwQoT0f8FTwk5+g0Sf2glgXGMBx33rwV264371jfN61G0uXEJg
YR/U6HfEJl+kQZ+HbRu9bab9KkJN4mzGJZ1TRbWLZ3IYKlttF1NVS+fOFAuAGcNa
mRdKcxhTarkDCRodped3R1KNy5r6C1Gv6WqPnkDVjjhOipPCmgEdwbEVR/rpO+Lf
4jzUbdoko08hm9TizTCZIImveIzPlmYQ7L46xjMDEa6TfHXwMXDRKKkAWI01oH8T
0qzE1cI0C1oN7oKGrrrY7edtvzL8Hvovj+4Xo7jHBwdBRKrAmqn8AUwGyuylPQBW
BCaH/sBuHcy5gaWDu2dmaIYE/fr50VIcM+5HnuWHmmAJo0A0zy7iiW4ivAOMMqhu
v+F3MmtQQANliVGnFLkUVluqsbRF7dc54m9IJY1WdZoZMdEzhRNWdQlrwtRx0KuD
VlybnyOJUp2OGS6sHBR6nLYucq6NT39Q118dUKPTp7ktVkhYy9Y+SniexWkIMQCE
fBIsiC9mf9lMZO+JzLt3x1PltxEywi2fmB8RQ/Yj+3qY6nUZCbDE3GU8U3obLxdl
X80mC3JFdtDFZFK94mCh
=oPhI
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.