TYPO3-EXT-SA-2013-017: Several vulnerabilities in third party extensions

Several vulnerabilities have been found in the following third-party TYPO3 extensions: booking, cronmm_ratsinfo, ics_awstats, iflowgallery, ke_userregister, meta_beawstatsind, powermail_optin, smarty, youtubevideos

Release Date:  September 25, 2013

Please read first: This Collective Security Bulletin (CSB) is a listing of vulnerable extensions with neither significant download numbers, nor other special importance amongst the TYPO3 Community. The intention of CSBs is to reduce the workload of the TYPO3 Security Team and of the maintainers of extensions with vulnerabilities. Nevertheless, vulnerabilities in TYPO3 core or important extensions will still get the well-known single Security Bulletin each.

Please read our buzz blog post, which has a detailed explanation on CSBs.

All vulnerabilities affect third-party extensions. These extensions are not part of the TYPO3 default installation.

Extension: booking (booking)

Affected Versions: 0.2.7 and all versions below

Vulnerability Type: Insecure Unserialize

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C (What's that?)

Solution: An updated version 0.2.9 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/view/booking/0.2.9/. Users of the extension are advised to update the extension as soon as possible.

Extension: ics_awstats

Affected Versions: 0.5.4 and all versions below

Vulnerability Type: Unspecific

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:O/RC:C (What's that?)

Related CVE: CVE-2012-4547

Problem Description: The extension contains an old version of awstats which is vulnerable an unspecific type of attack.

Solution: An updated version 0.6.0 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/view/ics_awstats/0.6.0/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Bjoern Pedersen,  Xaver Maierhofer and Andrea Herzog who informed us about the isse.

Extension: Simple Image Gallery (iflowgallery)

Affected Versions: 0.1.0 and all versions below

Vulnerability Type: SQL Injection

Severity: Critical

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:C/I:C/A:N/E:F/RL:U/RC:C (What's that?)

Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. We were not able to contact the extension maintainer. Please uninstall and delete the extension folder from your installation.

Credits: Credits go to TYPO3 Security Team Member Franz G. Jahn who discovered and reported the issue.

Extension: Ratsinformationssystem (RIS) (cronmm_ratsinfo)

Affected Versions: 1.2.0 and all versions below

Vulnerability Type: SQL Injection

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:C/I:P/A:N/E:F/RL:O/RC:C (What's that?)

Solution: An updated version 1.3.0 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/view/cronmm_ratsinfo/1.3.0/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Peter Leußner who discovered and reported the issue.

Extension: Frontend User Registration (ke_userregister)

Affected Versions: 0.1.5 and all versions below

Vulnerability Type: SQL Injection

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:C/I:P/A:N/E:F/RL:O/RC:C (What's that?)

Solution: An updated version 0.1.6 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/view/ke_userregister/0.1.6/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Extension Author Andreas Kiefer who discovered and reported the issue.

Extension: meta_beawstatsind

Affected Versions: 1.0.1

Vulnerability Type: Unspecific

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:U/RC:C (What's that?)

Related CVE: CVE-2012-4547

Problem Description: The extension contains an old version of awstats which is vulnerable an unspecific type of attack.

Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author claimed he will not maintain the extension any more. Please uninstall and delete the extension folder from your installation.

Credits: Credits go to Bjoern Pedersen,  Xaver Maierhofer and Andrea Herzog who informed us about the isse.

Extension: Powermail double opt-in (powermail_optin)

Affected Versions: 1.0.1 and all versions below

Vulnerability Type: Authentication Bypass and Information Disclosure

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:P/RL:U/RC:C (What's that?)

Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author claimed he will not maintain the extension any more. Please uninstall and delete the extension folder from your installation.

Extension: smarty (smarty)

Affected Versions: 1.11.0 and all versions below

Vulnerability Type: Cross-Site Scripting

Severity: Low

Suggested CVSS v2.0:  AV:N/AC:H/Au:N/C:P/I:P/A:N/E:P/RL:O/RC:C (What's that?)

Problem Description: The extension smarty bundles the template engine smarty. Old versions of this library are known to be vulnerable to Cross-Site Scripting.

Solution: An updated version 1.13.1 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/view/smarty/1.13.1/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Alexander Wende who discovered and reported the issue.

Extension: Youtube Channel Videos (youtubevideos)

Affected Versions: 0.1.1 and all versions below

Vulnerability Type: Cross-Site Scripting

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:P/RL:U/RC:C (What's that?)

Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author failed in providing a security fix for the reported vulnerability in a decent amount of time. Please uninstall and delete the extension folder from your installation.

Credits: Credits go to Markus Klein who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.