Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 09 Sep 2013 14:04:02 -0600
From: Kurt Seifried <>
CC: Henri Salo <>,
Subject: Re: CVE request: TYPO3-CORE-SA-2013-003

Hash: SHA1

On 09/07/2013 02:14 AM, Henri Salo wrote:
> Could you assign two 2013 CVE identifiers for following issues,
> thanks. We have agreed with Helmut Hummel that I'm requesting TYPO3
> CVEs in the future using private method from: 
>  Component Type: TYPO3 Core Vulnerability Types: Cross-Site
> Scripting, Remote Code Execution Overall Severity: Critical Release
> Date: September 4, 2013
> #1 CVE-2013-XXXX
> Vulnerable subcomponent: File handling / File Abstraction Layer 
> Vulnerability Type: Incomplete Access Management Affected Versions:
> All versions from 6.0.0 up to the development branch of 6.2 
> Severity: Medium Suggested CVSS v2.0:
> Problem Description: TYPO3 comes with the possibility to restrict
> editors to certain file actions (copy, delete, move etc.) and to
> restrict these actions to be performed in certain locations (file
> mounts). This permission handling was only partly implemented with
> the introduction of the File Abstraction Layer (FAL). The file
> action permissions that can be set in backend user and group 
> records were not respected and users could break out of file mounts
> by crafting URLs. Thus, unprivileged users could create or read
> arbitrary files within or outside the document root.
> Solution: Update to the TYPO3 version 6.0.9, 6.1.4 or the latest
> development version! It is important to clear all caches (clear
> cache all in the backend or deleting the complete typo3temp/Cache
> directory) for the changes to take effect after the TYPO3 source
> files have been updated!
> Notes: Administrators are advised to set file permissions for
> backend users or groups by using user TS Config instead of using
> the file permission check boxes in the user or group records. This
> allows more fine grained control for single file action
> permissions. Examples in the advisory.
> Credits: Credits go to Sebastian Nerz who discovered and reported
> the issues, Steffen Ritter and Helmut Hummel for creating the fixes
> and Anja Leichsenring, Susanne Moog, Michiel Roos, Sascha Egerer
> and Ernesto Baschny for testing.

Please use CVE-2013-4320 for this issue.

> #2 CVE-2013-XXXX
> Vulnerable subcomponent: File Abstraction Layer Vulnerability Type:
> Remote Code Execution Affected Versions: All versions from 6.0.0 up
> to the development branch of 6.2 Severity: Critical Suggested CVSS
> v2.0: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:O/RC:C
> Problem Description: The check for denied file extensions
> implemented in the File Abstraction Layer as mentioned in advisory
> TYPO3-CORE-SA-2013-002 was incomplete. It was still possible for
> editors to rename files to have denied file extensions by inserting
> special characters that were removed at a later point. This (again)
> allowed authenticated editors to forge php files with arbitrary
> code, which can then be executed in web server's context.
> Solution: Update to the TYPO3 version 6.0.9, 6.1.4 or the latest
> development version!

Please use CVE-2013-4321 for this issue.

> Credits: Credits go to Sascha Egerer who discovered and reported
> the issue.
> --- Henri Salo

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Version: GnuPG v1.4.14 (GNU/Linux)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.