It has been discovered that the extensions "Yet Another Gallery" (yag) and "Tools for Extbase development" (pt_extbase) are susceptible to Access Bypass
Release Date: February 12, 2014
Third party extension. This extension is not a part of the TYPO3 default installation.
yag: Version 3.0.0 and below, pt_extbase: Version 1.5.0 and below
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:C/I:P/A:N/E:F/RL:O/RC:C
September 18, 2014 (added CVE)
The extension pt_extbase comes with an Ajax dispatcher for Extbase. Using this dispatcher it is possible to call every action in every controller of every Extbase extension installed on the system. The dispatcher failes to do access checks, thus it is possible to bypass access checks for Extbase Backend Modules like the backend user administration module. The extension yag also delivered an Ajax dispatcher, which was unused but vulnerable.
The unused Ajax Dispatcher code in extension yag has been removed. If any other installed extensions made use of this dispatcher, it will stop working. Additionally the Ajax dispatcher in pt_extbase was modified to do access checks. Third party extensions using this dispatcher need to be added to the list of allowed actions.
Updated versions 3.0.1 and 1.5.1 are available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/yag/3.0.1/t3x/
. Users of the extension are advised to update the extension as soon as possible.
Credits go to Andrea Schmuttermair who discovered and reported this issue.
Follow the recommendations that are given in the TYPO3 Security Guide
. Please subscribe to the typo3-announce mailing list
to receive future Security Bulletins via E-mail.