PaulDotCom mailing list archives
Releasing TYPO3-Encryption Key Tool (TYPO3-SA-2009-001)
From: christopher.riley at r-it.at (christopher.riley at r-it.at)
Date: Wed, 28 Jan 2009 10:47:10 +0100
Hi, Middle of last week, the TYPO3 Security Team released a new version of TYPO3 to fix a number of vulnerabilities (see TYPO3-SA-2009-001 for more details). Now that the there is a patch available, I've released information on the Weak Encryption Key flaw discovered back in November 2008 (referred to as Insecure Randomness in the TYPO3 release), as well as a Python script that automates (most) of the process of discovering the Encryption Key from a vulnerable TYPO3 install. The tool is available from the tools section on www.c22.cc along with technical details of the vulnerability and a demo video (HD version available on Vimeo). Feedback on the tool and vulnerability would be gratefully received as this is my first attempt at a Python script. Please let me know what you think. Announcment: http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/ Hope this is useful, Chris John Riley ---------------------------------------- Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien, DVR 0486809, UID ATU 16351908 Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden. Correspondence with above mentioned sender via e-mail is only for information purposes. This medium may not be used for exchange of legally-binding communications. ---------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090128/463f0899/attachment.htm
Current thread:
- to challenge or not to challenge Andrew Anderson (Jan 27)
- to challenge or not to challenge christopher.riley at r-it.at (Jan 28)
- to challenge or not to challenge Albert R. Campa (Jan 28)
- Releasing TYPO3-Encryption Key Tool (TYPO3-SA-2009-001) christopher.riley at r-it.at (Jan 28)
- to challenge or not to challenge christopher.riley at r-it.at (Jan 28)