Releasing TYPO3-Encryption Key Tool (TYPO3-SA-2009-001)

[christopher.riley at r-it.at (christopher.riley at r-it.at)]

Hi,

Middle of last week, the TYPO3 Security Team released a new version of
TYPO3 to fix a number of vulnerabilities (see TYPO3-SA-2009-001 for more
details). Now that the there is a patch available, I've released
information on the Weak Encryption Key flaw discovered back in November
2008 (referred to as Insecure Randomness in the TYPO3 release), as well as
a Python script that automates (most) of the process of discovering the
Encryption Key from a vulnerable TYPO3 install.

The tool is available from the tools section on www.c22.cc along with
technical details of the vulnerability and a demo video (HD version
available on Vimeo).

Feedback on the tool and vulnerability would be gratefully received as this
is my first attempt at a Python script. Please let me know what you think.

Announcment:
http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/

Hope this is useful,

Chris John Riley
----------------------------------------
Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien, DVR
0486809, UID ATU 16351908

Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail
dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche
Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden.
Correspondence with above mentioned sender via e-mail is only for
information purposes. This medium may not be used for exchange of
legally-binding communications.
----------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090128/463f0899/attachment.htm