TYPO3-20080919-1: TYPO3 Security Bulletin

Several vulnerabilities have been found in TYPO3 third party extensions.

Please read first: This Collective Security Bulletin (CSB) is a listing of vulnerable extensions with neither significant download numbers, nor other special importance amongst the TYPO3 Community. The intention of CSBs is to reduce the workload of the TYPO3 Security Team, and the authors or maintainers of the extensions with the issues. Nevertheless, vulnerabilities in TYPO3 core or important extensions will still get the well-known single Security Bulletin each.

Please read our buzz blog post, which has a detailed explanation on CSBs.

All vulnerabilities affect third party extensions. These extensions are not part of the TYPO3 default installation.

Extension: auto BE User Registration (autobeuser)
Affected Versions: 0.0.2 and all versions below
Vulnerability Type: SQL Injection
Severity: HIGH
Solution: This extension has security related design flaws and is no longer maintained by the author. Please uninstall and delete the extension folder from your installation. The extension will no longer be available in the TYPO3 Extension Repository.
Credits: Credits go to Security Team member Marcus Krause, who discovered and reported the issue.

Extension: Swigmore institute (cgswigmore)
Affected Versions: 0.1.1 and all versions below
Vulnerability Type: SQL Injection
Severity: HIGH
Solution: An updated version 0.1.2 is available from the TYPO3 extension manager and at typo3.org/extensions/repository/view/cgswigmore/0.1.2/.
Note: At the time of this writing, the most recent version of Swigmore institute is version 0.5.1 which is available at typo3.org/extensions/repository/view/cgswigmore/0.5.1/.
Credits: Credits go to Georg Ringer, who discovered and reported the issue.

Extension: FE address edit for tt_address & direct mail (dmaddredit)
Affected Versions: 0.4.0 and all versions below
Vulnerability Type: SQL Injection
Severity: HIGH
Solution: This extension is no longer maintained by the author. Please uninstall and delete the extension folder from your installation. The extension will no longer be available in the TYPO3 Extension Repository.
Credits: Credits go to Clemens Riccabona, who discovered and reported the issue.

Extension: File List (file_list)
Affected Versions: 0.2.1 and all versions below
Vulnerability Type: Information disclosure
Severity: low
Solution: The extension author has informed us that he intends to rewrite the extension from scratch. For the time being please uninstall and delete the extension folder from your installation. The extension will no longer be available in the TYPO3 Extension Repository.
Credits: Credits go to Security Team member Marcus Krause, who discovered and reported the issue.

Extension: HBook (h_book)
Affected Versions: 2.3.0 and all versions below
Vulnerability Type: Blind SQL Injection
Severity: HIGH
Solution: The TYPO3 Security Team did not succeed in contacting the extension author. Please uninstall and delete the extension folder from your installation. The extension will no longer be available in the TYPO3 Extension Repository.
Credits: Credits go to Frederic Gaus, who discovered and reported the issue.

Extension: Secure Directory (kw_secdir)
Affected Versions: 1.0.1 and all versions below
Vulnerability Type: Arbitrary code execution
Severity: HIGH
Solution: An updated version 1.0.2 is available from the TYPO3 extension manager and at typo3.org/extensions/repository/view/kw_secdir/1.0.2/.
Credits: Credits go to Jens Weibler, who discovered and reported the issue.

Extension: Simple Random Objects (mw_random_objects)
Affected Versions: 1.0.3 and all versions below
Vulnerability Type: SQL Injection
Severity: HIGH
Solution: The TYPO3 Security Team did not succeed in contacting the extension author. Please uninstall and delete the extension folder from your installation. The extension will no longer be available in the TYPO3 Extension Repository.
Credits: Credits go to Georg Ringer, who discovered and reported the issue.

Extension: My quiz and poll (myquizpoll)
Affected Versions: 0.1.3 and all versions below
Vulnerability Type: SQL Injection
Severity: HIGH
Solution: An updated version 0.1.4 is available from the TYPO3 extension manager and at typo3.org/extensions/repository/view/myquizpoll/0.1.4/.
Note: At the time of this writing, the most recent version of My quiz and poll is version 0.1.5 which is available at typo3.org/extensions/repository/view/myquizpoll/0.1.5/.
Credits: Credits go to Georg Ringer, who discovered and reported the issue.

Extension: Diocese of Portsmouth Church Search (pd_churchsearch)
Affected Versions: 0.2.10 and all versions below
Vulnerability Type: Blind SQL Injection
Severity: HIGH
Solution: An updated version 0.1.1 is available from the TYPO3 extension manager and at typo3.org/extensions/repository/view/pd_churchsearch/0.1.1/.
Note: Please mind the wrong versioning scheme - extension version 0.1.1 is the most recent one and includes the security fix.
Credits: Credits go to Georg Ringer, who discovered and reported the issue.

Extension: Random Prayer Version 2 (ste_prayer2)
Affected Versions: 0.0.2 and all versions below
Vulnerability Type: SQL Injection
Severity: HIGH
Solution: An updated version 0.0.3 is available from the TYPO3 extension manager and at typo3.org/extensions/repository/view/ste_prayer2/0.0.3/.
Credits: Credits go to Georg Ringer, who discovered and reported the issue.

Extension: Another Backend Login (wrg_anotherbelogin)
Affected Versions: 0.0.3 and all versions below
Vulnerability Type: Blind SQL Injection
Severity: HIGH
Solution: An updated version 0.0.4 is available from the TYPO3 extension manager and at typo3.org/extensions/repository/view/wrg_anotherbelogin/0.0.4/.
Credits: Credits go to Security Team member Marcus Krause, who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 SECURITY Guide. Please subscribe to the typo3-announce mailing list in order to receive future Security Bulletins via E-mail.