From c41a2d5eb93275dc497b39a207e7a96f269e0fda Mon Sep 17 00:00:00 2001 From: joneum Date: Tue, 17 Jul 2018 15:29:24 +0000 Subject: Document vulberability for typo3-7 and typo3-8 --- security/vuxml/vuln.xml | 58 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 03bfc2dcae35..a2c34eb22db0 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -58,6 +58,64 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + typo3 -- multiple vulnerabilities + + + typo3-7 + 7.6.30 + + + typo3-8 + 8.7.17 + + + + +

Typo3 core team reports:

+
It has been discovered that TYPO3’s Salted Password system extension (which is a mandatory system component) + is vulnerable to Authentication Bypass when using hashing methods which are related by PHP class inheritance. + In standard TYPO3 core distributions stored passwords using the blowfish hashing algorithm can be overridden + when using MD5 as the default hashing algorithm by just knowing a valid username. + Per default the Portable PHP hashing algorithm (PHPass) is used which is not vulnerable.
+
Phar files (formerly known as "PHP archives") can act als self extracting archives which leads to the fact + that source code is executed when Phar files are invoked. The Phar file format is not limited to be stored + with a dedicated file extension - "bundle.phar" would be valid as well as "bundle.txt" would be. This way, + Phar files can be obfuscated as image or text file which would not be denied from being uploaded and persisted + to a TYPO3 installation. Due to a missing sanitization of user input, those Phar files can be invoked by + manipulated URLs in TYPO3 backend forms. A valid backend user account is needed to exploit this vulnerability. + In theory the attack vector would be possible in the TYPO3 frontend as well, however no functional exploit + has been identified so far.
+
Failing to properly dissociate system related configuration from user generated configuration, + the Form Framework (system extension "form") is vulnerable to SQL injection and Privilege Escalation. + Basically instructions can be persisted to a form definition file that were not configured to be modified - + this applies to definitions managed using the form editor module as well as direct file upload using the regular + file list module. A valid backend user account as well as having system extension form activated are needed + in order to exploit this vulnerability.
+
It has been discovered that the Form Framework (system extension "form") is vulnerable to Insecure Deserialization + when being used with the additional PHP PECL package “yaml”, which is capable of unserializing YAML contents + to PHP objects. A valid backend user account as well as having PHP setting "yaml.decode_php" enabled is needed + to exploit this vulnerability.
+

+ + + + CORE-SA-2018-001 + CORE-SA-2018-002 + CORE-SA-2018-003 + CORE-SA-2018-004 + https://typo3.org/security/advisory/typo3-core-sa-2018-001/ + https://typo3.org/security/advisory/typo3-core-sa-2018-002/ + https://typo3.org/security/advisory/typo3-core-sa-2018-003/ + https://typo3.org/security/advisory/typo3-core-sa-2018-004/ + + + 2018-07-12 + 2018-07-17 + + + Several Security Defects in the Bouncy Castle Crypto APIs -- cgit