Releasing TYPO3-Encryption Key Tool (TYPO3-SA-2009-001)

[christopher.riley () r-it at]

Hi,

Middle of last week, the TYPO3 Security Team released a new version of 
TYPO3 to fix a number of vulnerabilities (see TYPO3-SA-2009-001 for more 
details). Now that the there is a patch available, I've released 
information on the Weak Encryption Key flaw discovered back in November 
2008 (referred to as Insecure Randomness in the TYPO3 release), as well as 
a Python script that automates (most) of the process of discovering the 
Encryption Key from a vulnerable TYPO3 install. 

The tool is available from the tools section on www.c22.cc along with 
technical details of the vulnerability and a demo video (HD version 
available on Vimeo).

Feedback on the tool and vulnerability would be gratefully received as 
this is my first attempt at a Python script. Please let me know what you 
think.

Announcment: 
http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/

Hope this is useful,

Chris John Riley 

----------------------------------------
Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien, DVR 0486809, UID ATU 16351908

Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail dient ausschliesslich Informationszwecken. 
Rechtsgeschaeftliche Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden. 
Correspondence with above mentioned sender via e-mail is only for information purposes. This medium may not be used for 
exchange of legally-binding communications.
----------------------------------------