|
Date: Sat, 18 Oct 2014 14:16:48 -0400 (EDT) From: cve-assign@...re.org To: henri@...v.fi Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: TYPO3-EXT-SA-2014-014 and TYPO3-EXT-SA-2014-015 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2014-014/ > > It has been discovered that the extension "fal_sftp" (fal_sftp) is > susceptible to Improper Access Control. > > AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C > > Configured permissions of newly created files and folders for the sFTP > driver are set incorrectly. Use CVE-2014-8327. > http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2014-015/ > > It has been discovered that the extension "Dynamic Content Elements" > (dce) is susceptible to Information Disclosure. > > AV:N/AC:L/Au:S/C:P/I:N/A:N/E:H/RL:OF/RC:C > > The extension provides a functionality to check for extension updates. > Along with this functionality, installation environment data is > automatically reported to the infrastructure of the extension author > without user interaction. Use CVE-2014-8328. This is within the scope of CVE because TYPO3 has published a Security Bulletin indicating that it's a vulnerability from their perspective. The Credits section says "Credits go to Georg Ringer who discovered and reported the issue and Armin Vieweg who quickly responded & resolved this issue," where Armin Vieweg is apparently the author of the extension: http://typo3.org/extensions/repository/view/dce Last upload comment: Changed new option disableUpdateCheck to enableUpdateCheck and disables it by default. Author: Armin Ruediger Vieweg This might imply a security policy of "'installation environment data is ... reported to the infrastructure of the extension author' was intentional behavior, and can remain the intentional behavior of an apparently useful update feature; however, it must not be the default." Documentation/PrivacyPolicy/Index.rst has: The backend module of DCE may contain an image which is located on my server. It shows the user if there is a new DCE version available. It passes: - the TYPO3 version - the DCE version - and the backend language Based on these informations I'm able to say: "Yes, a new version is available, but not for your TYPO3 version.". These values are passed completely anonymously and help me to improve the extension. Because I have the data I am also able to get statistics. Like: Which TYPO3 version is used most often? I'm going to publish some interesting graphs based on these data on the `Facebook page`_ of DCE extension. with Resources/Private/Templates/DceModule/Index.html rendering the following in the (currently) non-default configuration: <a href="http://dce.v.ieweg.de/versioncheck/update" target="_blank"> <img src="http://dce.v.ieweg.de/versioncheck?t3= {dce:be.currentTypo3Version()}&dce={dce:be.currentDceVersion()}&l={dce:be.currentLanguage()}" alt="" /></a> As always, a vendor is allowed to announce this type of previously default intentional behavior as a vulnerability; it's just somewhat unusual to do so. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUQq3bAAoJEKllVAevmvmsqz0H/AitsWMA1w0jmrQDVw3kGeoQ 8uzdDN2Bu7Qi3KQEGvyQGb8H+X42hdeJoWkdyBdDPVVwWMjJDOnuk0+TkaTphQwp pSrl8H38FkfH725aVy7Mv/TPjv5FzvmXVpTAJiUFe+uf1tJyWyDmmIqgJ6TMF2+f 5NfUnY7VS9lk1f+3zFnTXlQH/j7Oa8ktqYKmAlRcyt5M1cF6dQA0smPxwvMjjAtD iMfwBvG1DnM+EdpVXtQnua1vTtZoDOfMlp3ztwMu896dhC8iDva3Dsq488JxtXXt jbyJvk2S0OQhv5uyppYB4rf+JW9DddmeWp5USduNmiPojilj/B4oiyCp6u4jr+g= =qsCz -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.