FLOW3-SA-2012-001: Insecure Unserialize Vulnerability in FLOW3
March 28, 2012
It has been discovered that FLOW3 is vulnerable to Insecure Unserialize
Component Type: FLOW3
Affected Versions: 1.0, master
Release Date: March 28, 2012
Vulnerability Type: Insecure unserialize
Problem Description: Due to a missing signature (HMAC) for a request argument, an attacker could unserialize arbitrary objects within FLOW3.
To our knowledge it is neither possible to inject code through this vulnerability, nor are there exploitable objects within the FLOW3 Base Distribution. However, there might be exploitable objects within user applications.
Solution: Update to FLOW3 1.0.4 which fixes the problem described!
Note: The same problem applies to the Extbase Framework in TYPO3. Read the according advisory TYPO3-CORE-SA-2012-001 for more information.
Credits: Credits go to Security Team Member Helmut Hummel who discovered and reported the issue.
General Advice: Please subscribe to the FLOW3-announce mailing list.