TYPO3-SA-2010-006: Multiple vulnerabilities in third party extensions

March 16, 2010

Category: TYPO3 Extension
Author: Marcus Krause
Keywords: TYPO3, security, TYPO3-SA-2010-006, extension, brainstorming, ch_lightem, chsellector, educator, mk_wastebasket, mydashboard, nf_cleandb, pd_diocesedatabase, reports_logview, sav_filter_abc, sav_filter_selectors, sav_filter_months, sk_bookreview, sk_simplegallery, t3quixplorer, t3sec_saltedpw, taskcenter_recent, tgm_newsletter, tmsw_cleandb, travelmate, yatse

Several vulnerabilities have been found in the following third party TYPO3 extensions: Brainstorming (brainstorming), Power Extension Manager (ch_lightem), Sellector.com Widget Integration (chsellector), Educator (educator), MK Wastebasket (mk_wastebasket), myDashboard (mydashboard), CleanDB (nf_cleandb), Diocese of Portsmouth Database (pd_diocesedatabase), Reports Logfile View (reports_logview), SAV Filter Alphabetic (sav_filter_abc), SAV Filter Selectors (sav_filter_selectors), SAV Filter Months (sav_filter_months), Book Reviews (sk_bookreview), Simple Gallery (sk_simplegallery), Typo3 Quixplorer (t3quixplorer), TYPO3 Security - Salted user password hashes (t3sec_saltedpw), UserTask Center, recent (taskcenter_recent), TGM-Newsletter (tgm_newsletter), CleanDB - DBAL (tmsw_cleandb), Meet Travelmates (travelmate), YATSE - Yet another TYPO3 search engine (yatse)

Release Date: March 16, 2010

Please read first: This Collective Security Bulletin (CSB) is a listing of vulnerable extensions with neither significant download numbers, nor other special importance amongst the TYPO3 Community. The intention of CSBs is to reduce the workload of the TYPO3 Security Team and of the maintainers of extensions with vulnerabilities. Nevertheless, vulnerabilities in TYPO3 core or important extensions will still get the well-known single Security Bulletin each.

Please read our buzz blog post, which has a detailed explanation on CSBs.

All vulnerabilities affect third party extensions. These extensions are not part of the TYPO3 default installation.

 

Extension: Brainstorming (brainstorming)
Affected Versions: 0.1.8 and all versions below
Vulnerability Type: SQL Injection
Severity: High
Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The author told us that he's no longer maintaining this extension. Please uninstall and delete all files belonging to it from your TYPO3 installation.
Credits: Credits go to Sebastian Gebhard, who discovered and reported the issue.

 

Extension: Power Extension Manager (ch_lightem)
Affected Versions: 1.0.34 and all versions below
Vulnerability Type: Information Disclosure
Severity: Medium
Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author failed in providing a security fix for the reported vulnerability in a decent amount of time. Please uninstall and delete the extension folder from your installation.
Note: Should the author decide to reply to our request and provide a fixed version, the extension could return to the TYPO3 Extension Repository.
Credits: Credits go to TYPO3 Security Team member Georg Ringer, who discovered and reported the issue.

 

Extension: Sellector.com Widget Integration (chsellector)
Affected Versions: 0.1.1 and all versions below
Vulnerability Type: Cross-Site Scripting
Severity: Medium
Solution: An update (version 0.1.2) is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/view/chsellector/0.1.2/.
Credits: Credits go to Alexander Kellner, who discovered and reported the issue.

 

Extension: Educator (educator)
Affected Versions: 0.1.5
Vulnerability Type: SQL Injection
Severity: High
Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. At the time of writing, we don't know of a security update of the extension regarding the existing vulnerability, since we have been unable to get in contact with the author. For the time being please uninstall this extension and delete all files belonging to it from your TYPO3 installation.
Note: Should the author decide to reply to our request and provide a fixed version, the extension could return to the TYPO3 Extension Repository.
Credits: Credits go to TYPO3 Security Team member Peter Athmann, who discovered and reported the issue.

 

Extension: MK Wastebasket (mk_wastebasket)
Affected Versions: 2.1.0 and all versions below
Vulnerability Type: Blind SQL Injection
Severity: High
Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. At the time of writing, we don't know of a security update of the extension regarding the existing vulnerability, since we have been unable to get in contact with the author. For the time being please uninstall this extension and delete all files belonging to it from your TYPO3 installation.
Note: Should the author decide to reply to our request and provide a fixed version, the extension could return to the TYPO3 Extension Repository.
Credits: Credits go to TYPO3 Security Team member Marcus Krause, who discovered and reported the issue.

 

Extension: myDashboard (mydashboard)
Affected Versions: 0.1.13 and all versions below
Vulnerability Type: Cross-Site Scripting
Severity: Medium
Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author failed in providing a security fix for the reported vulnerability in a decent amount of time. Please uninstall and delete the extension folder from your installation.
Note: Should the author decide to reply to our request and provide a fixed version, the extension could return to the TYPO3 Extension Repository.
Credits: Credits go to TYPO3 Security Team member Georg Ringer, who discovered and reported the issue.

 

Extension: CleanDB (nf_cleandb)
Affected Versions: 1.0.7 and all versions below
Vulnerability Type: Blind SQL Injection
Severity: High
Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The author told us that he's no longer maintaining this extension. Please uninstall and delete all files belonging to it from your TYPO3 installation.
Credits: Credits go to TYPO3 Security Team member Helmut Hummel, who discovered and reported the issue.

 

Extension: Diocese of Portsmouth Database (pd_diocesedatabase)
Affected Versions: 0.7.12 and all versions below
Vulnerability Type: SQL Injection
Severity: High
Solution: An update (version 0.7.13) is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/view/pd_diocesedatabase/0.7.13/.
Credits: Credits go to Fr. Simon Rundell and TYPO3 Security Team member Georg Ringer, who discovered and reported the issue.

 

Extension: Reports Logfile View (reports_logview)
Affected Versions: 1.2.1 and all versions below
Vulnerability Type: Cross-Site Scripting
Severity: Medium
Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author failed in providing a security fix for the reported vulnerability in a decent amount of time. Please uninstall and delete the extension folder from your installation.
Note: Should the author decide to reply to our request and provide a fixed version, the extension could return to the TYPO3 Extension Repository.
Credits: Credits go to TYPO3 Security Team member Georg Ringer, who discovered and reported the issue.

 

Extension: SAV Filter Alphabetic (sav_filter_abc)
Affected Versions: 1.0.8 and all versions below
Vulnerability Type: SQL Injection
Severity: High
Solution: An update (version 1.0.9) is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/view/sav_filter_abc/1.0.9/.
Credits: Credits go to Laurent Foulloy, who discovered the issue.

 

Extension: SAV Filter Selectors (sav_filter_selectors)
Affected Versions: 1.0.4 and all versions below
Vulnerability Type: SQL Injection
Severity: High
Solution: An update (version 1.0.5) is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/view/sav_filter_selectors/1.0.5/.
Credits: Credits go to Laurent Foulloy, who discovered the issue.

 

Extension: SAV Filter Months (sav_filter_months)
Affected Versions: 1.0.4 and all versions below
Vulnerability Type: SQL Injection
Severity: High
Solution: An update (version 1.0.5) is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/view/sav_filter_months/1.0.5/.
Credits: Credits go to Laurent Foulloy, who discovered the issue.

 

Extension: Book Reviews (sk_bookreview)
Affected Versions: 0.0.12 and all versions below
Vulnerability Type: SQL Injection
Severity: Medium
Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author failed in providing a security fix for the reported vulnerability in a decent amount of time. Please uninstall and delete the extension folder from your installation.
Note: Should the author decide to reply to our request and provide a fixed version, the extension could return to the TYPO3 Extension Repository.
Credits: Credits go to TYPO3 Security Team member Georg Ringer, who discovered and reported the issue.

 

Extension: Simple Gallery (sk_simplegallery)
Affected Versions: 0.0.9 and all versions below
Vulnerability Type: Cross-Site Scripting, SQL Injection
Severity: High
Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author failed in providing a security fix for the reported vulnerability in a decent amount of time. Please uninstall and delete the extension folder from your installation.
Note: Should the author decide to reply to our request and provide a fixed version, the extension could return to the TYPO3 Extension Repository.
Credits: Credits go to TYPO3 Security Team member Georg Ringer, who discovered and reported the issue.

 

Extension: Typo3 Quixplorer (t3quixplorer)
Affected Versions: 1.7.0 and all versions below
Vulnerability Type: Cross-Site Scripting
Severity: Medium
Solution: An update (version 1.7.1) is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/view/t3quixplorer/1.7.1/.
Credits: Credits go to TYPO3 Security Team member Georg Ringer, who discovered and reported the issue.

 

Extension: TYPO3 Security - Salted user password hashes (t3sec_saltedpw)
Affected Versions: 0.2.12 and all versions below
Vulnerability Type: Authentication bypass
Severity: High
Solution: An update (version 0.2.13) is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/view/t3sec_saltedpw/0.2.13/.
Credits: Credits go to TYPO3 Security Team member Marcus Krause, who discovered and reported the issue.

 

Extension: UserTask Center, recent (taskcenter_recent)
Affected Versions: 0.1.0 and all versions below
Vulnerability Type: Cross-Site Scripting
Severity: Medium
Solution: An update (version 0.1.2) is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/view/taskcenter_recent/0.2.0/.
Credits: Credits go to TYPO3 Security Team member Georg Ringer, who discovered and reported the issue.

 

Extension: TGM-Newsletter (tgm_newsletter)
Affected Versions: 0.0.2
Vulnerability Type: Cross-Site Scripting, SQL injection
Severity: High
Solution: An update (version 0.0.3) is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/view/tgm_newsletter/0.0.3/.
Credits: Credits go to TYPO3 Security Team member Georg Ringer, who discovered and reported the issue.

 

Extension: CleanDB - DBAL (tmsw_cleandb)
Affected Versions: 2.1.0 and all versions below
Vulnerability Type: Blind SQL Injection
Severity: High
Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. At the time of writing, we don't know of a security update of the extension regarding the existing vulnerability, since we have been unable to get in contact with the author. For the time being please uninstall this extension and delete all files belonging to it from your TYPO3 installation.
Note: Should the author decide to reply to our request and provide a fixed version, the extension could return to the TYPO3 Extension Repository.
Credits: Credits go to TYPO3 Security Team member Marcus Krause, who discovered and reported the issue.

 

Extension: Meet Travelmates (travelmate)
Affected Versions: 0.1.1 and all versions below
Vulnerability Type: Blind SQL Injection
Severity: High
Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author failed in providing a security fix for the reported vulnerability in a decent amount of time. Please uninstall and delete the extension folder from your installation.
Note: Should the author decide to reply to our request and provide a fixed version, the extension could return to the TYPO3 Extension Repository.
Credits: Credits go to TYPO3 Security Team member Marcus Krause, who discovered and reported the issue.

 

Extension: YATSE - Yet another TYPO3 search engine (yatse)
Affected Versions: 0.3.1 and all versions below
Vulnerability Type: Cross-Site Scripting, SQL Injection
Severity: High
Solution: An update (version 0.3.2) is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/view/yatse/0.3.2/.
Credits: Credits go to TYPO3 Security Team member Georg Ringer, who discovered and reported the issue.

 

 

 

General advice: Follow the recommendations that are given in the TYPO3 Security Cookbook. Please subscribe to the typo3-announce mailing list in order to receive future Security Bulletins via E-mail.