Giuseppe Iuculano
2009-Jan-22 07:39 UTC
[Secure-testing-team] Bug#512608: [SA33617] Typo3 Multiple Vulnerabilities
Package: typo3-src Severity: grave Tags: security -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, The following SA (Secunia Advisory) id was published for Typo3: SA33617[1]> DESCRIPTION: > Some vulnerabilities have been reported in Typo3, which can be > exploited by malicious people to bypass certain security > restrictions, conduct cross-site scripting and session fixation > attacks, and compromise a vulnerable system. > > 1) The "Install tool" system extension uses insufficiently random > entropy sources to generate an encryption key, resulting in weak > security. > > 2) The authentication library does not properly invalidate supplied > session tokens, which can be exploited to hijack a user''s session. > > 3) Certain unspecified input passed to the "Indexed Search Engine" > system extension is not properly sanitised before being used to > invoke commands. This can be exploited to inject and execute > arbitrary shell commands. > > 4) Input passed via the name and content of files to the "Indexed > Search Engine" system extension is not properly sanitised before > being returned to the user. This can be exploited to execute > arbitrary HTML and script code in a user''s browser session in context > of an affected site. > > 5) Certain unspecified input passed to the Workspace module is not > properly sanitised before being returned to the user. This can be > exploited to execute arbitrary HTML and script code in a user''s > browser session in context of an affected site. > > Note: It is also reported that certain unspecified input passed to > test scripts of the "ADOdb" system extension is not properly > sanitised before being returned to the user. This can be exploited to > execute arbitrary HTML and script code in a user''s browser session in > context of an affected website. > > SOLUTION: > Update to Typo3 version 4.0.10, 4.1.8, or 4.2.4. > > Generate a new encryption key (see vendor''s advisory for more > information). > > PROVIDED AND/OR DISCOVERED BY: > The vendor credits: > 1) Chris John Riley of Raiffeisen Informatik, CERT Security > Competence Center Zwettl > 2) Marcus Krause > 3, 4) Mads Olesen > 5) Daniel Fabian, SEC Consult > > ORIGINAL ADVISORY: > TYPO3-SA-2009-001: > http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/If you fix the vulnerability please also make sure to include the CVE id (if available) in the changelog entry. [1]http://secunia.com/advisories/33617/ Cheers, Giuseppe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkl4IpcACgkQNxpp46476ar0ngCfSRgis+Em7SqxFn/3biLtqRVt /noAn0W0Y1T7EDOytyIfw4l63Ix+3yEE =PAgw -----END PGP SIGNATURE-----