Component Type: FLOW3
Affected Versions: 1.0, master
Release Date: March 28, 2012
Vulnerability Type: Insecure unserialize
Severity: Medium
Suggested CVSS v2.0: <link http: jvnrss.ise.chuo-u.ac.jp jtg cvss _blank>AV:N/AC:H/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C (<link http: buzz.typo3.org teams security article use-of-common-vulnerability-scoring-system-in-typo3-security-advisories _blank post on cvss>What's that?)
Problem Description: Due to a missing signature (HMAC) for a request argument, an attacker could unserialize arbitrary objects within FLOW3.
To our knowledge it is neither possible to inject code through this vulnerability, nor are there exploitable objects within the FLOW3 Base Distribution. However, there might be exploitable objects within user applications.
Solution: Update to <link http: news.typo3.org news article flow3-104-has-been-released _blank>FLOW3 1.0.4 which fixes the problem described!
Note: The same problem applies to the Extbase Framework in TYPO3. Read the according <link http: typo3.org teams security security-bulletins flow3 typo3-flow3-sa-2012-001 typo3-core typo3-core-sa-2012-001 _top internal link in current>advisory TYPO3-CORE-SA-2012-001 for more information.
Credits: Credits go to Security Team Member Helmut Hummel who discovered and reported the issue.
General Advice: Please subscribe to the FLOW3-announce mailing list.
- Overview
- Features +
- Development Roadmap +
- Core Development
- Release News +
- Documentation
- Comparison Cards
- System Requirements
- Download & Install
- Getting Started
- Fluid Template Engine
- TYPO3 Community
- Events +
- Meet the Community +
- Contribute / Get Involved +
- Teams & Committees +
- Values and Proceedings +
- Team Leader Meetings
- Data Protection Corner +
- Services +
- Communicate: Where and how
- User Groups
- StackOverflow
- Forum
- Chat (Slack)
- how to use Slack
- Regular Open Sprints
- You, me, and TYPO3!
- TYPO3 remote days
- Become an Association Member
- Get your My TYPO3 account
- Donate
- Mentorship
- Community Writers Program
- TYPO3 Development
- Academic
- Accessibility
- Best Practices
- Communication Coordination
- Community Expansion
- Content
- Content Types
- Documentation
- Education & Certification
- Localization
- Marketing
- Motivation Research
- Ombudsperson
- Security
- Server
- TYPO3 CMS Product Strategy Group
- typo3.org website
- User Experience (UX)
- The TYPO3 Project
- News +
- Our Products
- TYPO3 Association +
- The Brand +
- History
- Press +
- Licenses
- Technology Supporters