Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 3 Jun 2014 00:43:18 -0400 (EDT)
Subject: Re: CVE ID request: typo3

Hash: SHA1


> Failing to properly validate the HTTP host-header TYPO3 CMS is
> susceptible to host spoofing.

Use CVE-2014-3941.

(It is possible that, with more information, multiple CVE IDs may have
been assigned. In CVE, missing input validation is often not
considered a single type of vulnerability, e.g., failure to recognize
that a parameter must be an integer could lead to both XSS and SQL
injection, and two CVE IDs would be assigned. Here, however, there is
no statement of which of (or how many of) the concerns in
is the motivation for treating the missing input validation as a
vulnerability. Thus, only one CVE ID makes sense. Note that "reported a
particular exploit possibility" suggests that there is at least one
motivation. If TYPO3 CORE were unaffected, and the change were made
solely to address a theoretical possibility that an extension could
misuse the _SERVER["HTTP_HOST"] value, then a CVE ID may not have been

> Vulnerable subcomponent: Color Picker Wizard
> Vulnerability Type: Insecure Unserialize

Use CVE-2014-3942.

> Vulnerable subcomponent: Backend
> Vulnerability Type: Cross-Site Scripting

Use CVE-2014-3943.

> Vulnerable subcomponent: ExtJS
> Vulnerability Type: Cross-Site Scripting
> delete the file typo3/contrib/extjs/resources/charts.swf

It seems likely that this is a copy of some version of the YUI
charts.swf file. If so, this issue can be mapped to an existing CVE
such as CVE-2010-4207 or CVE-2012-5881. Going further, it seems
plausible that different versions of TYPO3 might incorporate different
versions of ExtJS, and different versions of ExtJS might incorporate
charts.swf from different versions of YUI. Although we would like to
offer a precise CVE mapping, at this point it seems reasonable to map
the "Vulnerable subcomponent: ExtJS" part of TYPO3-CORE-SA-2014-001 to
both CVE-2010-4207 and CVE-2012-5881.

> Vulnerable subcomponent: Authentication
> Vulnerability Type: Improper Session Invalidation

Use CVE-2014-3944.

> Vulnerable subcomponent: Authentication
> Vulnerability Type: Authentication Bypass
> Affected Versions: All TYPO3 versions not configured to use salted passwords

Use CVE-2014-3945.

This CVE ID is for the CWE-836 issue, i.e., the "can be used directly
to authenticate" statement in the Security Bulletin. There is no CVE
ID assigned for either of the CWE-759 issues, i.e.,

  - salting is not the default before 4.6
  - salting is not mandatory before 6.2

Those are considered security improvements, because the vendor is not
specifically making an announcement that they are vulnerability fixes
(or, at least, that announcement isn't in the TYPO3-CORE-SA-2014-001
Security Bulletin).

> Vulnerable subcomponent: Extbase Framework
> Vulnerability Type: Information Disclosure
> Failing to respect user groups of logged in users when caching queries

Use CVE-2014-3946.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.