TYPO3-EXT-SA-2014-001: Several vulnerabilities in extension mm_forum (mm_forum)
February 12, 2014
It has been discovered that the extension "mm_forum" (mm_forum) is vulnerable to Arbitrary Code Execution, Cross-Site Scripting and Cross-Site Request Forgery
Release Date: February 12, 2014
Bulletin update: September 18, 2014 (added CVEs)
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: Version 1.9.2 and below
Vulnerability Type: Arbitrary Code Execution, Cross-Site Scripting and Cross-Site Request Forgery (CSRF).
CVEs: CVE-2014-6297 (Cross-Site Scripting), CVE-2014-6298 (Arbitrary Code Execution), CVE-2014-6299 (CSRF)
Problem Description: Failing to properly sanitize user-supplied input the extension is vulnerable to Cross-Site Scripting. It was possible to upload arbitrary files as files were not checked against the file deny pattern, thus Arbitrary Code Execution was possible by uploading PHP files. Additionally it was possible to create posts on behalf of logged in users (CSRF).
Solution: An updated version 1.9.3 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/mm_forum/1.9.3/t3x/. Users of the extension are advised to update the extension as soon as possible.
Credits: Credits go to Michael Knabe and Stano Paska who discovered and reported the issue.