TYPO3-EXT-SA-2014-001: Several vulnerabilities in extension mm_forum (mm_forum)

It has been discovered that the extension "mm_forum" (mm_forum) is vulnerable to Arbitrary Code Execution, Cross-Site Scripting and Cross-Site Request Forgery

Release Date: February 12, 2014

Bulletin update: September 18, 2014 (added CVEs)

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: Version 1.9.2 and below

Vulnerability Type: Arbitrary Code Execution, Cross-Site Scripting and Cross-Site Request Forgery (CSRF).

Severity: Critical

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:C/I:P/A:N/E:F/RL:O/RC:C (What's that?)

CVEs: CVE-2014-6297 (Cross-Site Scripting), CVE-2014-6298 (Arbitrary Code Execution), CVE-2014-6299 (CSRF)

Problem Description: Failing to properly sanitize user-supplied input the extension is vulnerable to Cross-Site Scripting. It was possible to upload arbitrary files as files were not checked against the file deny pattern, thus Arbitrary Code Execution was possible by uploading PHP files. Additionally it was possible to create posts on behalf of logged in users (CSRF).

Solution: An updated version 1.9.3 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/mm_forum/1.9.3/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Michael Knabe and Stano Paska who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.