TYPO3-EXT-SA-2014-005: Access Bypass in extensions "Yet Another Gallery" (yag) and "Tools for Extbase development" (pt_extbase)
February 12, 2014
It has been discovered that the extensions "Yet Another Gallery" (yag) and "Tools for Extbase development" (pt_extbase) are susceptible to Access Bypass
Release Date: February 12, 2014
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: yag: Version 3.0.0 and below, pt_extbase: Version 1.5.0 and below
Vulnerability Type: Access Bypass
Bulletin update: September 18, 2014 (added CVE)
Problem Description: The extension pt_extbase comes with an Ajax dispatcher for Extbase. Using this dispatcher it is possible to call every action in every controller of every Extbase extension installed on the system. The dispatcher failes to do access checks, thus it is possible to bypass access checks for Extbase Backend Modules like the backend user administration module. The extension yag also delivered an Ajax dispatcher, which was unused but vulnerable.
Important Note: The unused Ajax Dispatcher code in extension yag has been removed. If any other installed extensions made use of this dispatcher, it will stop working. Additionally the Ajax dispatcher in pt_extbase was modified to do access checks. Third party extensions using this dispatcher need to be added to the list of allowed actions.
Solution: Updated versions 3.0.1 and 1.5.1 are available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/yag/3.0.1/t3x/ and http://typo3.org/extensions/repository/download/pt_extbase/1.5.1/t3x/. Users of the extension are advised to update the extension as soon as possible.
Credits: Credits go to Andrea Schmuttermair who discovered and reported this issue.