Official typo3.org security advisories https://typo3.org/security en-gb TYPO3 News Sun, 17 Feb 2019 08:42:56 +0100 Sun, 17 Feb 2019 08:42:56 +0100 TYPO3 EXT:news news-1880 Tue, 22 Jan 2019 11:07:00 +0100 TYPO3-CORE-SA-2019-008: Arbitrary Code Execution via File List Module https://typo3.org/security/advisory/typo3-core-sa-2019-008/ It has been discovered, that TYPO3 CMS is vulnerable to arbitrary code execution.
  • Component Type: TYPO3 CMS
  • Vulnerable subcomponent: File List (ext:filelist)
  • Release Date: January 22, 2019
  • Vulnerability Type: Arbitrary Code Execution
  • Affected Versions: 8.0.0-8.7.22 and 9.0.0-9.5.3
  • Severity: None - Critical (depending on web server configuration)
  • Suggested CVSS v3.0: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C
  • CVE: not assigned yet
  • Problem Description

    Due to missing file extensions in $GLOBALS['TYPO3_CONF_VARS']['BE'][‘fileDenyPattern’], backend users are allowed to upload *.phar, *.shtml, *.pl or *.cgi files which can be executed in certain web server setups. A valid backend user account is needed in order to exploit this vulnerability.

    Derivatives of Debian GNU Linux are handling *.phar files as PHP applications since PHP 7.1 (for unofficial packages) and PHP 7.2 (for official packages).

    The file extension *.shtml is bound to server side includes which are not enabled per default in most common Linux based distributions. File extension *.pl and *.cgi require additional handlers to be configured which is also not the case in most common distributions (except for /cgi-bin/ location).

    Solution

    Update to TYPO3 versions 8.7.23 or 9.5.4 to fix the problem described.

    Credits

    Thanks to Edgar Boda-Majer and Lauritz Holtmann who reported these issues and to TYPO3 core team member Oliver Hader who fixed the issue.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    General Note

    All security related code changes are tagged so that you can easily look them up in our review system.

    ]]>
    Development
    news-1879 Tue, 22 Jan 2019 11:06:00 +0100 TYPO3-CORE-SA-2019-007: Cross-Site Scripting in Form Framework https://typo3.org/security/advisory/typo3-core-sa-2019-007/ It has been discovered, that TYPO3 CMS is vulnerable to cross-site scripting.
  • Component Type: TYPO3 CMS
  • Vulnerable subcomponent: Form Framework (ext:form)
  • Release Date: January 22, 2019
  • Vulnerability Type: Cross-Site Scripting
  • Affected Versions: 8.5.0-8.7.22 and 9.0.0-9.5.3
  • Severity: Medium
  • Suggested CVSS v3.0: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
  • CVE: not assigned yet
  • Problem Description

    Failing to properly encode user input, frontend forms handled by the form framework (system extension “form”) are vulnerable to cross-site scripting.

    Solution

    Update to TYPO3 versions 8.7.23 or 9.5.4 that fix the problem described.

    Strong security defaults - Manual actions required

    Since using markup on purpose in form definitions is not possible anymore, this behavior has to be adjusted to make use of a proper Fluid template for the according ConfirmationFinisher - see https://docs.typo3.org/typo3cms/extensions/core/latest/Changelog/8.7.x/Feature-83405-AddConfirmationFinisherTemplate.html for details.

    Credits

    Thanks to TYPO3 core team member Susanne Moog who reported this issue and to TYPO3 core team member Ralf Zimmermann who fixed the issue.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    General Note

    All security related code changes are tagged so that you can easily look them up in our review system.

    ]]>
    Development
    news-1878 Tue, 22 Jan 2019 11:05:00 +0100 TYPO3-CORE-SA-2019-006: Cross-Site Scripting in Bootstrap CSS toolkit https://typo3.org/security/advisory/typo3-core-sa-2019-006/ It has been discovered, that TYPO3 CMS is vulnerable to cross-site scripting.
  • Component Type: TYPO3 CMS
  • Vulnerable subcomponent: 3rd party library Bootstrap CSS toolkit
  • Release Date: January 22, 2019
  • Vulnerability Type: Cross-Site Scripting
  • Affected Versions: 8.0.0-8.7.22 and 9.0.0-9.5.3
  • Severity: Medium
  • Suggested CVSS v3.0: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
  • CVE: CVE-2018-14041
  • Problem Description

    It has been discovered that the third party library Bootstrap CSS toolkit is vulnerable to cross-site scripting. Details are mentioned in a dedicated vulnerability report at https://snyk.io/vuln/npm:bootstrap:20160627.

    Solution

    An official fix has been released with Bootstrap version 3.4.0, see https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/ for details.
    Update to TYPO3 versions 8.7.23 or 9.5.4 that fix the problem described. 

    Credits

    Thanks to Michiel Roos who reported this issue and to TYPO3 core team member Benni Mack who fixed the issue.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    General Note

    All security related code changes are tagged so that you can easily look them up in our review system.

    ]]>
    Development
    news-1877 Tue, 22 Jan 2019 11:04:00 +0100 TYPO3-CORE-SA-2019-005: Cross-Site Scripting in Fluid ViewHelpers https://typo3.org/security/advisory/typo3-core-sa-2019-005/ It has been discovered, that TYPO3 CMS is vulnerable to cross-site scripting.
  • Component Type: TYPO3 CMS
  • Vulnerable subcomponent: Fluid (ext:fluid)
  • Release Date: January 22, 2019
  • Vulnerability Type: Cross-Site Scripting
  • Affected Versions: 8.0.0-8.7.22 and 9.0.0-9.5.3
  • Severity: Medium
  • Suggested CVSS v3.0: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
  • CVE: not assigned yet
  • Problem Description

    Failing to properly encode user input, templates using built-in Fluid ViewHelpers are vulnerable to cross-site scripting.

    Solution

    Update to TYPO3 versions 8.7.23 or 9.5.4 that fix the problem described.

    Credits

    Thanks to Markus Gerdes who reported this issue and to TYPO3 core team member Andreas Wolf who fixed the issue.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    General Note

    All security related code changes are tagged so that you can easily look them up in our review system.

    ]]>
    Development
    news-1876 Tue, 22 Jan 2019 11:03:00 +0100 TYPO3-CORE-SA-2019-004: Cross-Site Scripting in Language Pack Handling https://typo3.org/security/advisory/typo3-core-sa-2019-004/ It has been discovered, that TYPO3 CMS is vulnerable to cross-site scripting.
  • Component Type: TYPO3 CMS
  • Vulnerable subcomponent: Language Pack Handling (ext:install)
  • Release Date: January 22, 2019
  • Vulnerability Type: Cross-Site Scripting
  • Affected Versions: 9.2.0-9.5.3
  • Severity: Medium
  • Suggested CVSS v3.0: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
  • CVE: not assigned yet
  • Problem Description

    Failing to properly encode information from external sources, language pack handling in the install tool is vulnerable to cross-site scripting.

    Solution

    Update to TYPO3 version 9.5.4 that fixes the problem described.

    Credits

    Thanks to TYPO3 core team member Georg Ringer who reported this issue and to TYPO3 core team member Frank Nägler who fixed the issue.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    General Note

    All security related code changes are tagged so that you can easily look them up in our review system.

    ]]>
    Development
    news-1884 Tue, 22 Jan 2019 11:03:00 +0100 TYPO3-EXT-SA-2019-004: Object Injection in extension "mkmailer" (mkmailer) https://typo3.org/security/advisory/typo3-ext-sa-2019-004/ It has been discovered that the extension "mkmailer" (mkmailer) is susceptible to Object Injection.
  • Release Date: January 22, 2019
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Vulnerability Type: Object Injection
  • Affected Versions:  3.0.9 and below 
  • Severity: High
  • Suggested CVSS v3.0: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
  • CVE: not assigned yet
  • Problem Description

    It was discovered that included 3rd party library PHPMailer is prone to a PHP object injection vulnerability, potentially allowing a remote attacker to execute arbitrary code.

    Solution

    An updated version 3.0.10  is available from the TYPO3 extension manager and at https://typo3.org/extensions/repository/download/mkmailer/3.0.10/zip/
    Users of the extension are advised to update the extension as soon as possible. 

    Note: Versions 3.0.1 - 3.0.9 of the extension has been released on GitHub only, but are vulnerable too.

    Credits

    Thanks to Security Team Member Torben Hansen who reported the vulnerability.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>
    Development
    news-1875 Tue, 22 Jan 2019 11:02:00 +0100 TYPO3-CORE-SA-2019-003: Broken Access Control in Localization Handling https://typo3.org/security/advisory/typo3-core-sa-2019-003/ It has been discovered, that TYPO3 CMS is susceptible to broken access control.
  • Component Type: TYPO3 CMS
  • Vulnerable subcomponent: Localization Handling
  • Release Date: January 22, 2019
  • Vulnerability Type: Broken Access Control
  • Affected Versions: 8.0.0-8.7.22
  • Severity: Medium
  • Suggested CVSS v3.0: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:F/RL:O/RC:C
  • CVE: not assigned yet
  • Problem Description

    It has been discovered that backend users having limited access to specific languages are capable of modifying and creating pages in the default language which actually should be disallowed. A valid backend user account is needed in order to exploit this vulnerability.

    Solution

    Update to TYPO3 version 8.7.23 that fixes the problem described.

    Credits

    Thanks to Sascha Egerer who reported this issue and to TYPO3 core team member Oliver Hader who fixed the issue.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    General Note

    All security related code changes are tagged so that you can easily look them up in our review system.

    ]]>
    Development
    news-1883 Tue, 22 Jan 2019 11:02:00 +0100 TYPO3-EXT-SA-2019-003: Multiple vulnerabilities in extension "femanager" (femanager) https://typo3.org/security/advisory/typo3-ext-sa-2019-003/ It has been discovered that the extension "femanager" (femanager) is susceptible to Validation Bypass and Information Disclosure
  • Release Date: January 22, 2019
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Vulnerability Type: Multiple vulnerabilities
  • Affected Versions:  4.2.2 and below
  • Severity: Medium
  • Suggested CVSS v3.0: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C
  • CVE: not assigned yet
  • Problem Description

    It is possible to bypass configured server side validation rules which allows an attacker to create frontend user records with invalid data. Also, the eID script allows an attacker to set various validators using GET parameters resulting in information disclosure of field values from the fe_users table.

    Solution

    An updated version 4.2.3 is available from the TYPO3 extension manager and at https://typo3.org/extensions/repository/download/femanager/4.2.3/zip/.
    Users of the extension are advised to update the extension as soon as possible.

    Credits

    Thanks to Marcus Bitzl, Johannes Baiter and Loek Hilgersom who discovered and reported the vulnerability.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>
    Development
    news-1874 Tue, 22 Jan 2019 11:01:00 +0100 TYPO3-CORE-SA-2019-002: Security Misconfiguration for Backend User Accounts https://typo3.org/security/advisory/typo3-core-sa-2019-002/ It has been discovered, that TYPO3 CMS is susceptible to security misconfiguration.
  • Component Type: TYPO3 CMS
  • Vulnerable subcomponent: Backend User Account Model (ext:core)
  • Release Date: January 22, 2019
  • Vulnerability Type: Security Misconfiguration
  • Affected Versions: 8.0.0-8.7.22 and 9.0.0-9.5.3
  • Severity: None - High (depending on 3rd party authentication services)
  • Suggested CVSS v3.0: AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C
  • CVE: not assigned yet
  • Problem Description

    When using the TYPO3 backend in order to create new backend user accounts, database records containing insecure or empty credentials might be persisted. When the type of user account is changed - which might be entity type or the admin flag for backend users - the backend form is reloaded in order to reflect changed configuration possibilities. However,  this leads to persisting the current state as well, which can result into some of the following:

    • account contains empty login credentials (username and/or password)
    • account is incomplete and contains weak credentials (username and/or password)

    Albeit the functionality provided by the TYPO3 core cannot be used either with empty usernames or empty passwords, it still can be a severe vulnerability to custom authentication service implementations.

    This weakness cannot be directly exploited and requires interaction on purpose by some backend user having according privileges.

    Solution

    Update to TYPO3 versions 8.7.23 or 9.5.4 that fix the problem described. Backend user accounts created in the backend user interface or using DataHandler API will be disabled per default, besides that empty usernames and password are now filled with random values to avoid scenarios where empty credentials are persisted.

    Strong security defaults - Manual actions required

    In order to apply strong security defaults new backend user accounts are now disabled per default and need to be activated manually. In order to disable this behavior the following setting can be applied individually:

    $GLOBALS['TCA']['be_users']['columns']['disable']['config']['default'] = 0;

    Besides that it is ensured that no empty values for username and password are persisted anymore - this behavior can be adjusted by overriding the according hook setting:

    $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['processDatamapClass'] = array_filter(
        $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['processDatamapClass'] ?? [],
        function ($className) { return $className !== \TYPO3\CMS\Core\Hooks\BackendUserPasswordCheck::class; }
    );

    Credits

    Thanks to Oliver Eglseder who reported this issue and to TYPO3 core team member Benni Mack who fixed the issue.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    General Note

    All security related code changes are tagged so that you can easily look them up in our review system.

    ]]>
    Development
    news-1882 Tue, 22 Jan 2019 11:01:00 +0100 TYPO3-EXT-SA-2019-002: Multiple vulnerabilities in extension "typo3_forum" (typo3_forum) https://typo3.org/security/advisory/typo3-ext-sa-2019-002/ It has been discovered that the extension "typo3_forum" (typo3_forum) is susceptible to Broken Access Control and Improper Filesystem Permissions.
  • Release Date: January 22, 2019
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Vulnerability Type: Multiple vulnerabilities
  • Affected Versions: 1.1.0 and below 
  • Severity: Medium
  • Suggested CVSS v3.0: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C
  • CVE: not assigned yet
  • Problem Description

    The extension fails to property check User Access Rights to posts which makes it possible for registered forum users to modify and take over posts of foreign users. The extension also creates an upload directory with 777 permissions.

    Solution

    An updated version 1.1.1  is available from the TYPO3 extension manager and at https://typo3.org/extensions/repository/download/typo3_forum/1.1.1/zip/.
    Users of the extension are advised to update the extension as soon as possible.

    Users are advised to manually check and correct  the permissions of the directory “uploads/tx_typo3forum/attachments/” to the value configured in [SYS][folderCreateMask]

    Credits

    Thanks to Sebastian Muszynski who discovered and reported the vulnerability. 

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>
    Development
    news-1873 Tue, 22 Jan 2019 11:00:00 +0100 TYPO3-CORE-SA-2019-001: Information Disclosure of Installed Extensions https://typo3.org/security/advisory/typo3-core-sa-2019-001/ It has been discovered, that TYPO3 CMS is susceptible to information disclosure.
  • Component Type: TYPO3 CMS
  • Vulnerable subcomponent: RequireJS package configuration
  • Release Date: January 22, 2019
  • Vulnerability Type: Information Disclosure
  • Affected Versions: 8.0.0-8.7.22 and 9.0.0-9.5.3
  • Severity: Low
  • Suggested CVSS v3.0: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N/E:F/RL:O/RC:C
  • CVE: not assigned yet
  • Problem Description

    It has been discovered that mechanisms used for configuration of RequireJS package loading are susceptible to information disclosure. This way a potential attack can retrieve additional information about installed system and third party extensions.

    Solution

    Update to TYPO3 versions 8.7.23 or 9.5.4 that fix the problem described.

    Strong security defaults - Manual actions required

    Since this bugfix introduces new configuration, it is required to clear TYPO3 caches - which can be done either by using the TYPO3 Install Tool or the TYPO3 Console CLI tool.

    Credits

    Thanks to Sven Jürgens and Stefan Isak who reported this issue and to TYPO3 core team member Oliver Hader who fixed the issue.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    General Note

    All security related code changes are tagged so that you can easily look them up in our review system.

    ]]>
    Development
    news-1881 Tue, 22 Jan 2019 11:00:00 +0100 TYPO3-EXT-SA-2019-001: Multiple vulnerabilities in extension "phpMyAdmin" (phpmyadmin) https://typo3.org/security/advisory/typo3-ext-sa-2019-001/ It has been discovered that the extension "phpMyAdmin" (phpmyadmin) is susceptible to Cross-Site Scripting, CSRF, File Inclusion and Remote Code Execution.
  • Release Date: January 22, 2019
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Vulnerability Type: Multiple vulnerabilities
  • Affected Versions: 5.2.3 and below 
  • Severity: High
  • Suggested CVSS v3.0: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE: not assigned yet
  • Problem Description

    Multiple vulnerabilities have been found in the phpMyAdmin component.

    Solution

    An updated version 5.2.4  is available from the TYPO3 extension manager and at https://typo3.org/extensions/repository/download/phpmyadmin/5.2.4/zip/.
    Users of the extension are advised to update the extension as soon as possible.

    Note: In general the TYPO3 Security Team recommends to not use any extension that bundles database or file management tools on production TYPO3 websites.

    Credits

    Thanks to Andreas Beutel for providing a TYPO3 extension package with an updated phpMyAdmin version.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>
    Development
    news-1885 Tue, 22 Jan 2019 10:00:00 +0100 TYPO3-PSA-2019-001: Possible Arbitrary Code Execution in CommandUtility API https://typo3.org/security/advisory/typo3-psa-2019-001/ It has been discovered that TYPO3 CMS can be vulnerable to arbitrary code execution.
  • Release Date: January 22, 2019
  • Component Type: CommandUtility API (ext:core)
  • Impact: Possible Arbitrary Code Execution
  • Type: Advisory
  • Problem Description

    It has been discovered that TYPO3 core API CommandUtility::checkCommand() can be vulnerable to arbitrary code execution. Albeit no insecure usage inside the TYPO3 core system could be identified it might be possible that third party extensions are making use of the mentioned API in combination with user-submitted data. Until now it is unproven that there is an existing exploit.

    Solution

    Update to TYPO3 versions 8.7.23 or 9.5.4 that fix the problem described. In order to evaluate whether third party extensions open a potential attack vector, usages of CommandUtility::checkCommand(), CommandUtility::getCommand() and the registration of custom services ($GLOBALS['T3_SERVICES') concerning their 'exec' argument have to be checked.

    In general, arbitrary data that shall be used in system commands must be escaped accordingly by invoking PHP’s escape-shell functions:

    TYPO3’s API function CommandUtility::escapeShellArgument() should be invoked when having to deal with file names containing special characters on unicode-aware file-systems - internally it is wrapping PHP’s escapeshellarg() function.

    Links

    Credits

    Thanks to TYPO3 core team member Frank Nägler who reported this issue and to TYPO3 core team member Oliver Hader who addressed the issue.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>
    Development
    news-1886 Tue, 22 Jan 2019 10:00:00 +0100 TYPO3-PSA-2019-002: Username and Email Address Enumeration https://typo3.org/security/advisory/typo3-psa-2019-002/ It has been discovered, that usernames and email addresses may be enumerated with brute-force techniques, when using validators in order to ensure a unique username or email address.
  • Release Date: January 22, 2019
  • Component Type: 3rd party extensions (not being part of TYPO3 default installation)
  • Impact: Enumeration of usernames and email addresses, Information Disclosure
  • Type: Advisory
  • Problem Description

    TYPO3 extensions, which allow to create frontend user accounts or newsletter subscriptions, typically use server side validators to ensure that a given username or email address is unique.

    Validation results - like "A user with the given username already exist" or "This email address is already subscribed to the newsletter" - allow remote users to create a list of usernames and email addresses of frontend users or newsletter subscribers of the TYPO3 website.

    This information can be used to attack the TYPO3 frontend login, for example, through a brute-force or a username/password attack. In some cases (e.g. sites with information for special target groups) this behavior can also be seen as an information disclosure.

    Advised Solution

    To classify possible enumeration of email and usernames as security and privacy risk depends on individual scenarios and the overall requirements of a web application. Basically the scope is to respond with generic messages without revealing details to third parties.

    To avoid username and email address enumeration in general, the following process is suggested.

    Frontend user registration

    1. Do not use validators, which check for uniqueness of username and email address field values
    2. Check for username and email address uniqueness on server side before saving the new frontend user
      • If an account with the username or email address exist, send an email with password recovery instructions to user (frontend user must contain a valid email address)
      • If no account with username or email address exist, create new account with provided user data and proceed with following registration steps (e.g. send opt-in email)
    3. Display a generic message without providing information about existing accounts (e.g. "An email with further registration instructions has been sent.")

    Some TYPO3 extensions for frontend user management (e.g. femanager, sf_register or sr_feuser_register) contain signal slots or hooks, which may be used to implement the suggested process.

    Newsletter subscription

    1. Do not use validators to check the uniqueness of an email address
    2. Check email address uniqueness on server side before saving the newsletter subscription
      • If email address is already subscribed to the newsletter, ignore registration and do not save data
      • If email address is not subscribed to the newsletter, save registration and proceed with following subscription steps (e.g. send opt-in email)
    3. Display a general message (e.g. "An email with further registration instructions has been sent.")

    Credits

    Thanks to Loek Hilgersom who reported this issue

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>
    Development
    news-1887 Tue, 22 Jan 2019 10:00:00 +0100 TYPO3-PSA-2019-003: Cross-Site Scripting in Flash component (ELTS) https://typo3.org/security/advisory/typo3-psa-2019-003/ It has been discovered, that TYPO3 CMS is vulnerable to cross-site scripting.
  • Release Date: January 22, 2019 (December 11, 2018 for ELTS)
  • Vulnerability Type: Cross-Site Scripting
  • Affected Versions: TYPO3 6.2.0 to 6.2.38 ELTS, TYPO3 7.0.0 to 7.1.0
  • Severity: Medium
  • Suggested CVSS v3.0: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C
  • CVE: not assigned yet
  • Problem Description

    It has been discovered, that the third party component websvg is vulnerable to cross-site scripting. A browser with Flash plugin installed is needed in order to exploit this vulnerability.

    Solution

    Update to TYPO3 version 6.2.39 ELTS which fixes the problem described and removes the according file at typo3/contrib/websvg/svg.swf. The previous long term support versions TYPO3 v7.6.x were not affected anymore.

    Credits

    Thanks to Purplemet Security for reporting this issue.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>
    Development
    news-1866 Tue, 11 Dec 2018 10:31:16 +0100 TYPO3-CORE-SA-2018-012: Denial of Service in Frontend Record Registration https://typo3.org/security/advisory/typo3-core-sa-2018-012/ It has been discovered, that TYPO3 CMS is vulnerable to denial of service.
  • Component Type: TYPO3 CMS
  • Vulnerable subcomponent: Frontend Session Handling
  • Release Date: December 11, 2018
  • Vulnerability Type: Denial of Service
  • Affected Versions: 7.0.0-7.6.31 and 8.0.0-8.7.20
  • Severity: Medium
  • Suggested CVSS v3.0: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:F/RL:O/RC:C
  • CVE: not assigned yet
  • Problem Description

    TYPO3’s built-in record registration functionality (aka “basic shopping cart”) using recs URL parameters is vulnerable to denial of service. Failing to properly ensure that anonymous user sessions are valid, attackers can use this vulnerability in order to create  an arbitrary amount of individual session-data records in the database.

    Solution

    Update to TYPO3 versions 7.6.32 or 8.7.21 that fix the problem described. The frontend record registration feature has been deprecated in TYPO3 v8.6.0 and finally was removed in TYPO3 v9.0.0 - thus TYPO3 v9 is not affected.

    Strong security defaults - Manual actions required

    The frontend record registration feature has been disabled in order to apply strong security defaults. Installations that actually are using this functionality have to enable the feature and its vulnerability again.
    This can be done by enabling $GLOBALS['TYPO3_CONF_VARS']['FE']['enableRecordRegistration'] either using Install Tool or according deployment techniques.

    Credits

    Thanks to Mads Lønne Jensen who reported this issue and to TYPO3 core team member Benni Mack who fixed the issue.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    General Note

    All security related code changes are tagged so that you can easily look them up in our review system.

    ]]>
    Development
    news-1865 Tue, 11 Dec 2018 10:27:47 +0100 TYPO3-CORE-SA-2018-011: Denial of Service in Online Media Asset Handling https://typo3.org/security/advisory/typo3-core-sa-2018-011/ It has been discovered, that TYPO3 CMS is susceptible to information disclosure.
  • Component Type: TYPO3 CMS
  • Vulnerable subcomponent: Online media asset handling
  • Release Date: December 11, 2018
  • Vulnerability Type: Denial of Service
  • Affected Versions: 7.0.0-7.6.31, 8.0.0-8.7.20 and 9.0.0-9.5.1
  • Severity: Medium
  • Suggested CVSS v3.0: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:F/RL:O/RC:C
  • CVE: not assigned yet
  • Problem Description

    Online Media Asset Handling (*.youtube and *.vimeo files) in the TYPO3 backend is vulnerable to denial of service. Putting large files with according file extensions results in high consumption of system resources. This can lead to exceeding limits of the current PHP process which results in a dysfunctional backend component. A valid backend user account or write access on the server system (e.g. SFTP) is needed in order to exploit this vulnerability.

    Solution

    Update to TYPO3 versions 7.6.32, 8.7.21 or 9.5.2 that fix the problem described.

    Credits

    Thanks to Michael Schams who reported this issue and to TYPO3 core team member Oliver Hader who fixed the issue.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    General Note

    All security related code changes are tagged so that you can easily look them up in our review system.

    ]]>
    Development
    news-1864 Tue, 11 Dec 2018 10:25:26 +0100 TYPO3-CORE-SA-2018-010: Information Disclosure in Install Tool https://typo3.org/security/advisory/typo3-core-sa-2018-010/ It has been discovered, that TYPO3 CMS is susceptible to information disclosure.
  • Component Type: TYPO3 CMS
  • Vulnerable subcomponent: Install Tool
  • Release Date: December 11, 2018
  • Vulnerability Type: Information Disclosure
  • Affected Versions: 7.0.0-7.6.31, 8.0.0-8.7.20 and 9.0.0-9.5.1
  • Severity: Low
  • Suggested CVSS v3.0: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N/E:F/RL:O/RC:C
  • CVE: not assigned yet
  • Problem Description

    The Install Tool exposes the current TYPO3 version number to non-authenticated users.

    Solution

    Update to TYPO3 versions 7.6.32, 8.7.21 or 9.5.2 that fix the problem described.

    Credits

    Thanks to Manuel Bloch who reported this issue and to TYPO3 core team member Benni Mack who fixed the issue.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    General Note

    All security related code changes are tagged so that you can easily look them up in our review system.

    ]]>
    Development
    news-1863 Tue, 11 Dec 2018 10:21:05 +0100 TYPO3-CORE-SA-2018-009: Security Misconfiguration in Install Tool Cookie https://typo3.org/security/advisory/typo3-core-sa-2018-009/ It has been discovered, that TYPO3 CMS is susceptible to security misconfiguration.
  • Component Type: TYPO3 CMS
  • Vulnerable subcomponent: Install Tool Session Handling
  • Release Date: December 11, 2018
  • Vulnerability Type: Security Misconfiguration
  • Affected Versions: 7.0.0-7.6.31, 8.0.0-8.7.20 and 9.0.0-9.5.1
  • Severity: Medium
  • Suggested CVSS v3.0: AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C
  • CVE: not assigned yet
  • Problem Description

    It has been discovered that cookies created in the Install Tool are not hardened to be submitted only via HTTP. In combination with other vulnerabilities such as cross-site scripting it can lead to hijacking an active and valid session in the Install Tool.

    Solution

    Update to TYPO3 versions 7.6.32, 8.7.21 or 9.5.2 that fix the problem described.
    It is suggested to clear the Typo3InstallTool cookie in web browsers.

    Credits

    Thanks to TYPO3 core team member Oliver Hader who reported this issue and to TYPO3 core team member Andreas Wolf who fixed the issue.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    General Note

    All security related code changes are tagged so that you can easily look them up in our review system.

    ]]>
    Development
    news-1862 Tue, 11 Dec 2018 10:15:40 +0100 TYPO3-CORE-SA-2018-008: Cross-Site Scripting in Frontend User Login https://typo3.org/security/advisory/typo3-core-sa-2018-008/ It has been discovered, that TYPO3 CMS is vulnerable to cross-site scripting.
  • Component Type: TYPO3 CMS
  • Vulnerable subcomponent: Frontend user login
  • Release Date: December 11, 2018
  • Vulnerability Type: Cross-Site Scripting
  • Affected Versions: 7.0.0-7.6.31, 8.0.0-8.7.20 and 9.0.0-9.5.1
  • Severity: Medium
  • Suggested CVSS v3.0: AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
  • CVE: not assigned yet
  • Problem Description

    Failing to properly encode user input, login status display is vulnerable to cross-site scripting in the website frontend. A valid user account is needed in order to exploit this vulnerability - either a backend user or a frontend user having the possibility to modify their user profile.

    Template patterns that are affected are

    • ###FEUSER_[fieldName]### using system extension felogin
    • <!--###USERNAME###--> for regular frontend rendering (pattern can be defined individually using TypoScript setting config.USERNAME_substToken)
       

    Solution

    Update to TYPO3 versions 7.6.32, 8.7.21 or 9.5.2 that fix the problem described.

    Strong security defaults - Possible customization

    Template patterns rendered with system extension felogin can be configured using TypoScript. In order to apply strong security defaults property htmlSpecialChars is enabled per default. Customizing the rendering process is possible by adjust according TypoScript settings in plugin.tx_felogin_pi1.userfields.fieldName.htmlSpecialChars

    Credits

    Thanks to Thomas Löffler who reported this issue and to TYPO3 core team member Benni Mack who fixed the issue.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    General Note

    All security related code changes are tagged so that you can easily look them up in our review system.

    ]]>
    Development
    news-1861 Tue, 11 Dec 2018 10:12:34 +0100 TYPO3-CORE-SA-2018-007: Cross-Site Scripting in Backend Modal Component https://typo3.org/security/advisory/typo3-core-sa-2018-007/ It has been discovered, that TYPO3 CMS is vulnerable to cross-site scripting.
  • Component Type: TYPO3 CMS
  • Vulnerable subcomponent: Backend modal component
  • Release Date: December 11, 2018
  • Vulnerability Type: Cross-Site Scripting
  • Affected Versions: 7.1.0-7.6.31, 8.5.0-8.7.20 and 9.0.0-9.5.1
  • Severity: Medium
  • Suggested CVSS v3.0: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
  • CVE: not assigned yet
  • Problem Description

    Failing to properly encode user input, notifications shown in modal windows in the TYPO3 backend are vulnerable to cross-site scripting. A valid backend user account is needed in order to exploit this vulnerability.

    Solution

    Update to TYPO3 versions 7.6.32, 8.7.21 or 9.5.2 that fix the problem described.

    Credits

    Thanks to Joshua Westerheide who reported this issue and to TYPO3 core team member Frank Nägler who fixed the issue.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    General Note

    All security related code changes are tagged so that you can easily look them up in our review system.

    ]]>
    Development
    news-1860 Tue, 11 Dec 2018 10:09:24 +0100 TYPO3-CORE-SA-2018-006: Cross-Site Scripting in Online Media Asset Rendering https://typo3.org/security/advisory/typo3-core-sa-2018-006/ It has been discovered, that TYPO3 CMS is vulnerable to cross-site scripting.
  • Component Type: TYPO3 CMS
  • Vulnerable subcomponent: Online media asset rendering
  • Release Date: December 11, 2018
  • Vulnerability Type: Cross-Site Scripting
  • Affected Versions: 7.5.0-7.6.31, 8.0.0-8.7.20 and 9.0.0-9.5.1
  • Severity: Medium
  • Suggested CVSS v3.0: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
  • CVE: not assigned yet
  • Problem Description

    Failing to properly encode user input, online media asset rendering (*.youtube and *.vimeo files) is vulnerable to cross-site scripting. A valid backend user account or write access on the server system (e.g. SFTP) is needed in order to exploit this vulnerability.

    Solution

    Update to TYPO3 versions 7.6.32, 8.7.21 or 9.5.2 that fix the problem described.

    Credits

    Thanks to András Ottó who reported this issue and to TYPO3 core team members Susanne Moog and Stefan Neufeind who fixed the issue.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    General Note

    All security related code changes are tagged so that you can easily look them up in our review system.

    ]]>
    Development
    news-1859 Tue, 11 Dec 2018 09:58:10 +0100 TYPO3-CORE-SA-2018-005: Cross-Site Scripting in CKEditor https://typo3.org/security/advisory/typo3-core-sa-2018-005/ It has been discovered, that TYPO3 CMS is vulnerable to cross-site scripting.
  • Component Type: TYPO3 CMS
  • Vulnerable subcomponent: 3rd party JavaScript library CKEditor
  • Release Date: December 11, 2018
  • Vulnerability Type: Cross-Site Scripting
  • Affected Versions: 8.5.0 to 8.7.20 and 9.0.0 to 9.5.1
  • Severity: Low
  • Suggested CVSS v3.0: AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
  • CVE: CVE-2018-17960
  • Problem Description

    It has been discovered, that the third party library CKEditor is vulnerable to cross-site scripting. A valid backend user account is needed in order to exploit this vulnerability.

    Details from CKEditor v4.11.0 release notes (affects TYPO3 v8 and v9) 
    CKEditor 4.11 fixes an XSS vulnerability in the HTML parser reported by maxarr. The vulnerability stemmed from the fact that it was possible to execute XSS inside the CKEditor source area after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode. Although this is an unlikely scenario, we recommend to upgrade to the latest editor version.

    Details from CKEditor v4.9.2 release notes (affects TYPO3 v8 only)
    CKEditor 4.9.2 fixes an XSS vulnerability in the Enhanced Image (image2) plugin reported by Kyaw Min Thein. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor using the <img> tag and specially crafted HTML.

    Solution

    An official fix has been released with CKEditor version 4.11.0.
    Update to TYPO3 versions 8.7.21 or 9.5.2 that fix the problem described.

    Strong security defaults - Manual actions required

    Per default TYPO3 uses the latest version of CKEditor v4.11.1 in order to apply strong security defaults. Concerning backward compatibility and possible side-effects it is possible to manually enable previous CKEditor v4.7.1 and its vulnerability again.

    This can be done by assigning $GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['rte_ckeditor'] = 'a:1:{s:15:"ckeditorVersion";s:6:"4.7";}' either modifying configuration of extension rte_ckeditor in Extension Manager or according deployment techniques.

    This applies to TYPO3 v8 only.

    Credits

    Thanks to Peter Kraume who reported this issue and to TYPO3 core team member Benni Mack who fixed the issue.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    General Note

    All security related code changes are tagged so that you can easily look them up in our review system.

    ]]>
    Development
    news-1855 Tue, 20 Nov 2018 11:00:00 +0100 TYPO3-PSA-2018-002: Web Resource Restrictions https://typo3.org/security/advisory/typo3-psa-2018-002/ It has been discovered that development related information can be retrieved by regular HTTP GET requests on NGINX web server environments missing strict access restriction settings.
  • Release Date: November 20, 2018
  • Component Type: Web server hosting environment
  • Impact: Information disclosure of developer related resources
  • Type: Advisory
  • Problem Description

    The TYPO3 security team has been informed about the possibility to retrieve development related information - such as Composer or TypoScript configurations - by regular HTTP GET requests on NGINX web server environments missing strict access restriction settings.

    The TYPO3 core already provides default configuration for Apache web server and Microsoft Internet Information Server (IIS) using custom override techniques (.htaccess and web.config declarations). Since this functionality is not available on web servers running NGINX, server maintainers have to ensure internal resources are restricted from being exposed to the public web interface.

    This  information could be used by attackers in order to infer internal system behavior as well as to identify specific release versions (TYPO3 core, extensions, packages).

    Solution

    The TYPO3 security guide has been extended and addresses the topic in greater detail. Primarily, hosting environments using NGINX should be adjusted and reviewed in order to not expose internal information anymore. Apache and IIS environments were already provided with default values delivered by the TYPO3 core, but should be reviewed once more whether their restriction settings are up-to-date. A section showing potential URLs that should be restricted has been added to the security guide accordingly.

    Links

    Credits

    Credits go to Peter Schuler & Thomas Löffler who reported the vulnerability.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>
    Development
    news-1810 Tue, 20 Nov 2018 10:00:00 +0100 TYPO3-EXT-SA-2018-010: Cross-Site Scripting in extension "libconnect" (libconnect) https://typo3.org/security/advisory/typo3-ext-sa-2018-010-1/ It has been discovered that the extension "libconnect" (libconnect) is susceptible to Cross-Site Scripting.
  • Release Date: November 20, 2018
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Vulnerability Type: Multiple vulnerabilities
  • Affected Versions: 5.3.1 and below
  • Severity: Medium
  • Suggested CVSS v3.0: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
  • CVE: not assigned yet
  • Problem Description

    The extension fails to properly encode user input for output in HTML context.

    Solution

    An updated version 5.3.2 is available from the TYPO3 extension manager and at https://extensions.typo3.org/extension/download/libconnect/5.3.2/zip/
    Users of the extension are advised to update the extension as soon as possible. 

    Credits

    Thanks to Christoph Lehmann who reported the vulnerability. 

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>
    Development
    news-1826 Thu, 18 Oct 2018 10:00:00 +0200 TYPO3-PSA-2018-001: By-passing Protection of PharStreamWrapper Interceptor https://typo3.org/security/advisory/typo3-psa-2018-001/ It has been discovered that the protection against insecure deserialization can be by-passed in PharStreamWrapper component.
  • Component type: PharStreamWrapper (package typo3/phar-stream-wrapper)
  • Release date: October 18, 2018
  • Impact: By-passing protection against insecure deserialization
  • Affected versions: v2.0.1 and v3.0.1 of the package
  • Announced at https://github.com/TYPO3/phar-stream-wrapper/wiki/TYPO3-PSA-2018-001

    Problem description

    Insecure deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application. In July 2018, the vulnerability of insecure deserialization when executing Phar archives was addressed by removing the known attack vector in the TYPO3 core. For more details read the corresponding TYPO3 advisory.

    In addition, a new interceptor was introduced to protect possible (but unknown) vulnerabilities in 3rd party components like TYPO3 extensions. Basically, the PharStreamWrapper intercepts direct invocations of Phar archives and allows or denies further processing based on individual rules.

    Recently, the PharStreamWrapper was extracted from the TYPO3 core and released as standalone package under the MIT license. It is now available for any PHP driven project.

    The stream wrapper overwrites the existing Phar handling of PHP, applies its own assertions and then restores the native PHP Phar handling for the corresponding commands (e.g. file_exists, include, fopen) to continue processing. After that, the native PHP Phar handling gets disabled and is overwritten by the logic of the PharStreamWrapper again. This is the only way to control invocations of Phar archives as PHP only allows a single handler for each corresponding stream.

    We were informed that exception and error handlers in custom applications (e.g. TYPO3 extensions) sometimes didn't return to the original operating sequence of the PharStreamWrapper. A possible consequence was that the unprotected native PHP Phar handling remained active and therefore became vulnerable for the basic issue of insecure deserialization again.

    Examples

    Take a look at the following examples showing how the handling is by-passed in custom application code.

    Scenario A: Exception thrown from code organized in a Phar archive

    try {
        include('phar://path-to-archive/good-archive.phar');
    } catch (\Throwable $throwable) {
        // not doing much here, continue execution
    }
    // the insecure value can be anything that is or was user-submitted
    // and cannot be trusted in terms of security, $_GET is just used as example
    $insecureValue = $_GET['path'];
    // the value might be 'phar://path-to-archive/malicious-archive.phar'
    file_exists($insecureValue);
    
    

    Scenario B: Errors converted to exceptions and thrown when interacting with archive contents

    // set error handler in order to convert errors to exceptions
    set_error_handler(function($errno, $errstr, $errfile, $errline, array $errcontext) {
       throw new ErrorException($errstr, 0, $errno, $errfile, $errline);
    });
    // interacting with Phar archive
    try {
       $resource = opendir('phar://path-to-archive/good-archive.phar/non-existing-path/');
       closedir($resource);
    } catch (\Throwable $throwable) {
       // not doing much here, continue execution
    }
    // the insecure value can be anything that is or was user-submitted
    // and cannot be trusted in terms of security, $_GET is just used as example
    $insecureValue = $_GET['path'];
    // the value might be 'phar://path-to-archive/malicious-archive.phar'
    file_exists($insecureValue);
    
    

    Solution

    The PharStreamWrapper package was therefore further enhanced to address this issue. The two given scenarios are now handled. After each invocation the native PHP Phar handling now gets overwritten and then disabled again.

    The PharStream Wrapper package is available for any PHP driven project for download.

    Users who downloaded the previous version are advised to upgrade to versions 3.0.1 (for PHP v7.0 and later) and 2.0.1 (for PHP v5.3 and later) to keep their projects safe.

    As the vulnerability exists primarily in theory and there have been no public reports or findings on how it can be exploited in production environments, this public service announcement has been been published instead of releasing new TYPO3 versions.

    Download

    Please either upgrade to versions v3.0.1 and v2.0.1 manually or ensure Composer dependencies are raised to the mentioned new versions.

    Credits

    Credits go to Martin Auswöger of the Contao Security Team who reported the vulnerability and provided according security fixes.

    General advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>
    Development
    news-1809 Thu, 09 Aug 2018 10:09:00 +0200 TYPO3-EXT-SA-2018-009: Information Disclosure in extension "TemplaVoilà! Plus" (templavoilaplus) https://typo3.org/security/advisory/typo3-ext-sa-2018-009/ It has been discovered that the extension "TemplaVoilà! Plus" (templavoilaplus) is susceptible to Information Disclosure.
  • Release Date: August 9, 2018
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Vulnerability Type: Information Disclosure
  • Affected Versions: 7.2.1 and below 
  • Severity: Medium
  • Suggested CVSS v3.0: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
  • CVE: not assigned yet
  • Problem Description

    Due to a missing access check it is possible to view the contents any file within a TYPO3 installation. A valid backend user account having access to the "TemplaVoilà! Plus" backend module is needed in order to exploit this vulnerability.

    Solution

    An updated version 7.2.2 is available from the TYPO3 extension manager and at https://extensions.typo3.org/extension/download/templavoilaplus/7.2.2/zip/
    Users of the extension are advised to update the extension as soon as possible. 

    Credits

    Thanks to Security Team Member Torben Hansen who discovered and reported the vulnerability. 

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>
    Security
    news-1808 Thu, 09 Aug 2018 10:08:00 +0200 TYPO3-EXT-SA-2018-008: Cross-Site Scripting in extension "Frontend Treeview" (mh_treeview) https://typo3.org/security/advisory/typo3-ext-sa-2018-008/ It has been discovered that the extension "Frontend Treeview" (mh_treeview) is susceptible to Cross-Site Scripting.
  • Release Date: August 9, 2018
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Vulnerability Type: Cross-Site Scripting
  • Affected Versions: 0.1.0 and below 
  • Severity: High
  • Suggested CVSS v3.0: AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:F/RL:U/RC:C
  • CVE: not assigned yet
  • Problem Description

    The extension fails to properly encode user input for output in HTML context.

    Solution

    Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author failed in providing a security fix for the reported vulnerability in a decent amount of time. 

    Please uninstall and delete the extension folder from your installation.

    Credits

    Thanks to Security Team Member Nicole Cordes who discovered and reported the vulnerability. 

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>
    Security
    news-1807 Thu, 09 Aug 2018 10:07:00 +0200 TYPO3-EXT-SA-2018-007: Environment Variable Injection in extension "Amazon Web Services SDK " (aws_sdk) https://typo3.org/security/advisory/typo3-ext-sa-2018-007/ It has been discovered that the extension "Amazon Web Services SDK " (aws_sdk) is susceptible to Environment Variable Injection.
  • Release Date: August 9, 2018
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Vulnerability Type: Environment Variable Injection
  • Affected Versions: 3.0.4 and below 
  • Severity: High
  • Suggested CVSS v3.0: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE: CVE-2016-5385
  • Problem Description

    The extension uses an old version of the third party library guzzlehttp/guzzle, which is known to be vulnerable against the HTTPOXY attack. Read https://www.symfony.fi/entry/httpoxy-vulnerability-hits-php-installations-using-fastcgi-and-php-fpm-and-hhvm or https://httpoxy.org/ for further details.

    Solution

    Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author failed in providing a security fix for the reported vulnerability in a decent amount of time. 

    Please uninstall and delete the extension folder from your installation.

    Credits

    Thanks to Michael Schams who discovered and reported the vulnerability. 

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>
    Security
    news-1806 Thu, 09 Aug 2018 10:06:00 +0200 TYPO3-EXT-SA-2018-006: Captcha bypass in extension "Front End User Registration" (sr_feuser_register) https://typo3.org/security/advisory/typo3-ext-sa-2018-006/ It has been discovered that the extension "Front End User Registration" (sr_feuser_register) is susceptible to Captcha bypass.
  • Release Date: August 9, 2018
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Vulnerability Type: Captcha bypass
  • Affected Versions: 5.0.0 and below 
  • Severity: Medium
  • Suggested CVSS v3.0: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
  • CVE: not assigned yet
  • Problem Description

    When the extension is used together with the TYPO3 Extension sr_freecap, it is possible to bypass the catcha in the registration form.

    Solution

    An updated version 5.1.0 is available from the TYPO3 extension manager and at https://extensions.typo3.org/extension/download/sr_feuser_register/5.1.0/zip/
    Users of the extension are advised to update the extension as soon as possible. 

    Credits

    Thanks to Johannes Hahn who discovered and reported the vulnerability. 

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>
    Security