Re: CVE request: TYPO3-CORE-SA-2012-001

[Kurt Seifried <kseifried () redhat com>]

On 03/29/2012 02:44 PM, Florian Weimer wrote:
> I may have missed a previous request.  If I can count properly, there
> are four different issues:

You can count properly!

> | Vulnerable subcomponent: Extbase Framework
> | Affected Versions:
> |   Versions 4.4.x and 4.5.x are not affected by this vulnerabilty.
> | Vulnerability Type: Insecure Unserialize
> | 
> | Problem Description: Due to a missing signature (HMAC) for a request
> | argument, an attacker could unserialize arbitrary objects within
> | TYPO3.
> | 
> | To our knowledge it is neither possible to inject code through this
> | vulnerability, nor are there exploitable objects within the TYPO3
> | Core. However, there might be exploitable objects within third party
> | extensions.

Please use CVE-2012-1605 for this issue.

> | Vulnerable subcomponent: TYPO3 Backend
> | Vulnerability Type: Cross-Site Scripting
> | 
> | Problem Description: Failing to properly HTML-encode user input in
> | several places, the TYPO3 backend is susceptible to Cross-Site
> | Scripting. A valid backend user is required to exploit these
> | vulnerabilities.

Please use CVE-2012-1606 for this issue.

> | Vulnerable subcomponent: TYPO3 Command Line Interface
> | Vulnerability Type: Information Disclosure
> |
> | Problem Description: Accessing a CLI Script directly with a browser
> | may disclose the database name used for the TYPO3 installation.

Please use CVE-2012-1607 for this issue.

> | Vulnerable subcomponent: TYPO3 HTML Sanitizing API
> | Vulnerability Type: Cross-Site Scripting
> |
> | Problem Description: By not removing non printable characters, the API
> | method t3lib_div::RemoveXSS() fails to filter specially crafted HTML
> | injections, thus is susceptible to Cross-Site Scripting.

Please use CVE-2012-1608 for this issue.

> <http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-001/>


-- 
Kurt Seifried Red Hat Security Response Team (SRT)