typo3 security: several issues
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
typo3-src (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: typo3-src-4.1
Multiple typo3 security issues have been found in typo3 core, see http://
Security fix has been announced for Feb. 10, 2009 at 9:00 am GMT., see http://
The issues have already been tracked down by the typo3 team, this report ist just to make the Ubuntu package maintainer aware of it (in case he shouldn't be already).
For completeness: Informations according to the "Please include, if possible" table:
1) The release of Ubuntu you are using,
I'm using Ubuntu 8.04.2 - according to the nature of typo3 (scripted using PHP) and the announcement (fixes will be provided for a wide range of typo3 versions) the security issues are independent of Ubuntu version won't matter.
2) The version of the package you are using:
typo3-src-4.1: 4.1.2+debian-
3) What you expected to happen and 4) What happened instead (cited from the first link above):
=======
Component Type: TYPO3 Core, Affected Versions: TYPO3 versions 4.0.0 to 4.0.9, 4.1.0 to 4.1.7, 4.2.0 to 4.2.3
Vulnerability Types: Broken Authentication and Session Management, Cross-Site Scripting, Insecure Randomness and Remote Command Execution
Overall Severity: High
Vulnerable subcomponent #1: System extension Install tool (install)
Vulnerability Types: Insecure Randomness
Severity: High
Problem Description: TYPO3-wide used encryption key is created with an insufficiently random seed which results in a low entropy.
Solution: Update to the TYPO3 versions 4.0.10, 4.1.8 or 4.2.4 that fix the problem described.
...
Vulnerable subcomponent #2: Authentication library
Vulnerability Types: Broken Authentication and Session Management
Severity: High
Problem Description: TYPO3 authenticates frontend and backend users without invalidating a supplied session identifier. Therefore, TYPO3 is open for session fixation, making an attacker able to hijack a victim's session.
...
Vulnerable subcomponent #3: System extension Indexed Search Engine (indexed_search)
Vulnerability Types: Cross-Site Scripting, Remote Command Execution
Severity: Medium
Problem Description: Passed arguments to command-line indexer are not sanitized making this system extension susceptible to Remote Command Execution. Furthermore, the according backend module fails to sanitize user supplied input (name and content of to be indexed files) making this system extension susceptible to Cross-Site Scripting.
...
Vulnerable subcomponent #4: System extension ADOdb (adodb)
Vulnerability Types: Cross-Site Scripting
Severity: Medium
Problem Description: Test scripts fail to sanitize user supplied input making this system extension susceptible to Cross-Site Scripting.
...
Vulnerable subcomponent #5: Workspace module
Vulnerability Types: Cross-Site Scripting
Severity: Medium
Problem Description: The module fails to sanitize user supplied input making this module susceptible to Cross-Site Scripting.
=======
The Ubuntu package typo3-src-4.1 (4.1.2+ debian- 1ubuntu1) has these security problems.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
TYPO3 Security Bulletin TYPO3-SA-2009-002: Information Disclosure & XSS in TYPO3 Core, see: http:// typo3.org/ teams/security/ security- bulletins/ typo3-sa- 2009-002/
Component Type: TYPO3 Core
Affected Versions: TYPO3 versions 3.3.x, 3.5.x, 3.6.x, 3.7.x, 3.8.x, 4.0 to 4.0.11, 4.1.0 to 4.1.9, 4.2.0 to 4.2.5, 4.3alpha1
Vulnerability Types: Information Disclosure, Cross-Site Scripting
Overall Severity: Critical
Release Date: February 10, 2009 — 9am (GMT)
Vulnerable subcomponent #1: Access tracking mechanism
Vulnerability Type: Information Disclosure
Severity: Critical
Problem Description: An Information Disclosure vulnerability in jumpUrl mechanism, used to track access on web pages and provided files, allows a remote attacker to read arbitrary files on a host.
The expected value of a mandatory hash secret, intended to invalidate such requests, is exposed to remote users allowing them to bypass access control by providing the correct value.
There's no authentication required to exploit this vulnerability. The vulnerability allows to read any file, the web server user account has access to.
Possible Impact: This flaw is making it potentially possible for the hacker to download the contents of any file on the server, i.e. typo3conf/ localconf. php, which holds both install tool password alongside database username and password.
Using rainbow tables, the hacker may be able to login to your install tool and from there take over your website.
Please refer to the section "Other recommendations" in order to understand some general methods of securing your TYPO3 installation.
Solution:
You can choose one of the solutions below:
1) Update to the TYPO3 versions 4.0.12, 4.1.10 or 4.2.6, or
2) Use this shell script (md5 sum: 0cbd0aac72e624c b3dd6673a01f853 20, documentation in file) to run accross your webservers in order to replace the affected lines, or
2) Apply one of the patches linked below (fitting to the version you're using), or
3) Edit the affected file class.tslib_fe.php following the instructions below.
In TYPO3 versions equal or greater than 4.0, the affected file is located in typo3/sysext/ cms/tslib/ class.tslib_ fe.php.
In TYPO3 versions lower than 4.0, the affected file is located in tslib/class. tslib_fe. php and possibly symlinked to the aforementioned location, also in typo3/sysext/ cms/tslib/ class.tslib_ fe.php
In the file, search for the line: ------- ------- --- ------- ------- ---
-------
} else die('jumpurl Secure: Calculated juHash, '.$calcJuHash.', did not match the submitted juHash.');
-------
and replace it with: ------- ------- --- ------- ------- ---
-------
} else die('jumpurl Secure: Calculated juHash did not match the submitted juHash.');
-------
Note: Version 3.3 and 3.5 of TYPO3 uses double-quotes, which means you have to search ".$calcJuHash." when doing manual replacing.
Patches for older TYPO3 versions: (please see: http:// typo3.org/ teams/security/ security- bulletins/ typo3-sa- 2009-002/)
= = = = = = = = = = = = = = = = = = = = = = = = = =...