[Bug 327342] Re: typo3 security: several issues

Fri Feb 27 11:21:02 UTC 2009

The Ubuntu package typo3-src-4.1 (4.1.2+debian-1ubuntu1) has these
security problems.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
= = = = = = = = = = = =

TYPO3 Security Bulletin TYPO3-SA-2009-002: Information Disclosure & XSS
in TYPO3 Core, see: http://typo3.org/teams/security/security-
bulletins/typo3-sa-2009-002/

Component Type: TYPO3 Core

Affected Versions: TYPO3 versions 3.3.x, 3.5.x, 3.6.x, 3.7.x, 3.8.x, 4.0
to 4.0.11, 4.1.0 to 4.1.9, 4.2.0 to 4.2.5, 4.3alpha1

Vulnerability Types: Information Disclosure, Cross-Site Scripting

Overall Severity: Critical

Release Date: February 10, 2009 — 9am (GMT)

Vulnerable subcomponent #1: Access tracking mechanism

Vulnerability Type: Information Disclosure

Severity: Critical

Problem Description: An Information Disclosure vulnerability in jumpUrl
mechanism, used to track access on web pages and provided files, allows
a remote attacker to read arbitrary files on a host.

The expected value of a mandatory hash secret, intended to invalidate
such requests, is exposed to remote users allowing them to bypass access
control by providing the correct value.

There's no authentication required to exploit this vulnerability. The
vulnerability allows to read any file, the web server user account has
access to.

Possible Impact: This flaw is making it potentially possible for the
hacker to download the contents of any file on the server, i.e.
typo3conf/localconf.php, which holds both install tool password
alongside database username and password.

Using rainbow tables, the hacker may be able to login to your install
tool and from there take over your website.

Please refer to the section "Other recommendations" in order to
understand some general methods of securing your TYPO3 installation.

Solution:

You can choose one of the solutions below:

1) Update to the TYPO3 versions 4.0.12, 4.1.10 or 4.2.6, or

2) Use this shell script (md5 sum: 0cbd0aac72e624cb3dd6673a01f85320,
documentation in file) to run accross your webservers in order to
replace the affected lines, or

2) Apply one of the patches linked below (fitting to the version you're
using), or

3) Edit the affected file class.tslib_fe.php following the instructions
below.

In TYPO3 versions equal or greater than 4.0, the affected file is
located in typo3/sysext/cms/tslib/class.tslib_fe.php.

In TYPO3 versions lower than 4.0, the affected file is located in
tslib/class.tslib_fe.php and possibly symlinked to the aforementioned
location, also in typo3/sysext/cms/tslib/class.tslib_fe.php

In the file, search for the line:
------------------------
} else die('jumpurl Secure: Calculated juHash, '.$calcJuHash.', did not match the submitted juHash.');
------------------------

and replace it with:
------------------------
} else die('jumpurl Secure: Calculated juHash did not match the submitted juHash.');
------------------------

Note: Version 3.3 and 3.5 of TYPO3 uses double-quotes, which means you
have to search ".$calcJuHash." when doing manual replacing.

Patches for older TYPO3 versions: (please see: http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-002/)
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = 

It would be very nice to have all these security issues fixed in the
packages. Maybe include a fix for this as well:
https://bugs.launchpad.net/bugs/290649

-- 
typo3 security: several issues
https://bugs.launchpad.net/bugs/327342
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs