TYPO3-EXT-SA-2014-005: Access Bypass in extensions "Yet Another Gallery" (yag) and "Tools for Extbase development" (pt_extbase)

It has been discovered that the extensions "Yet Another Gallery" (yag) and "Tools for Extbase development" (pt_extbase) are susceptible to Access Bypass

Release Date: February 12, 2014

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: yag: Version 3.0.0 and below, pt_extbase: Version 1.5.0 and below

Vulnerability Type: Access Bypass

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:C/I:P/A:N/E:F/RL:O/RC:C (What's that?)

CVE: CVE-2014-6289

Bulletin update: September 18, 2014 (added CVE)

Problem Description: The extension pt_extbase comes with an Ajax dispatcher for Extbase. Using this dispatcher it is possible to call every action in every controller of every Extbase extension installed on the system. The dispatcher failes to do access checks, thus it is possible to bypass access checks for Extbase Backend Modules like the backend user administration module. The extension yag also delivered an Ajax dispatcher, which was unused but vulnerable.

Important Note: The unused Ajax Dispatcher code in extension yag has been removed. If any other installed extensions made use of this dispatcher, it will stop working. Additionally the Ajax dispatcher in pt_extbase was modified to do access checks. Third party extensions using this dispatcher need to be added to the list of allowed actions.

Solution: Updated versions 3.0.1 and 1.5.1 are available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/yag/3.0.1/t3x/ and http://typo3.org/extensions/repository/download/pt_extbase/1.5.1/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Andrea Schmuttermair who discovered and reported this issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.