Bug#692775: marked as done (TYPO3-CORE-SA-2012-005: Several Vulnerabilities in TYPO3 Core)

Sun, 11 Nov 2012 02:51:16 -0800 

Your message dated Sun, 11 Nov 2012 10:47:51 +0000
with message-id <[email protected]>
and subject line Bug#692775: fixed in typo3-src 4.5.19+dfsg1-3
has caused the Debian Bug report #692775,
regarding TYPO3-CORE-SA-2012-005: Several Vulnerabilities in TYPO3 Core
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
692775: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692775
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: typo3-src
Severity: critical
Tags: security


It has been discovered that TYPO3 Core is vulnerable to SQL Injection,
Information Disclosure and Cross-Site Scripting

Component Type: TYPO3 Core

Affected Versions: 4.5.0 up to 4.5.20, 4.6.0 up to 4.6.13, 4.7.0 up to
4.7.5 and development releases of the 6.0 branch.
Vulnerability Types: SQL Injection, Cross-Site Scripting, Information
Disclosure
Overall Severity: Medium
Release Date: November 8, 2012



Vulnerable subcomponent: TYPO3 Backend History Module


Vulnerability Type: SQL Injection, Cross-Site Scripting
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:C/I:C/A:N/E:F/RL:O/RC:C

Problem Description: Due to missing encoding of user input, the history
module is susceptible to SQL Injection and Cross-Site Scripting. A valid
backend login is required to exploit this vulnerability.


Vulnerability Type: Information Disclosure
Severity: Low
Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:O/RC:C

Problem Description: Due to a missing access check, regular editors
could see the history view of arbitrary records, only by forging a
proper URL for the History Module. A valid backend login is required to
exploit this vulnerability.



Vulnerable subcomponent: TYPO3 Backend API


Vulnerability Type: Cross-Site Scripting
Severity: Low
Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C

Problem Description: Failing to properly HTML-encode user input the tree
render API (TCA-Tree) is susceptible to Cross-Site Scripting. TYPO3
Versions below 6.0 does not make us of this API, thus is not
exploitable, if no third party extension is installed which uses this
API. A valid backend login is required to exploit this vulnerability.


Vulnerability Type: Cross-Site Scripting
Severity: Low
Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:N/I:P/A:N/E:P/RL:O/RC:C

Problem Description: Failing to properly encode user input, the function
menu API is susceptible to Cross-Site Scripting. A valid backend login
is required to exploit this vulnerability.


-- 
 MfG, Christian Welzel

  GPG-Key:     http://www.camlann.de/de/pgpkey.html
  Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15

--- End Message ---
--- Begin Message --- 
Source: typo3-src
Source-Version: 4.5.19+dfsg1-3

We believe that the bug you reported is fixed in the latest version of
typo3-src, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Welzel <[email protected]> (supplier of updated typo3-src package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 08 Nov 2012 22:04:00 +0100
Source: typo3-src
Binary: typo3-src-4.5 typo3-database typo3-dummy typo3
Architecture: source all
Version: 4.5.19+dfsg1-3
Distribution: unstable
Urgency: medium
Maintainer: Christian Welzel <[email protected]>
Changed-By: Christian Welzel <[email protected]>
Description: 
 typo3      - web content management system (meta)
 typo3-database - web content management system (database)
 typo3-dummy - web content management system (basic site structure)
 typo3-src-4.5 - web content management system (core)
Closes: 692775
Changes: 
 typo3-src (4.5.19+dfsg1-3) unstable; urgency=medium
 .
   * Added patch for TYPO3-SA-2012-5 (Closes: #692775)
   * Set patch level version to -pl.4.5.21.
Checksums-Sha1: 
 a1cec43642ed0907c8eeed400cb31845040a278e 2056 typo3-src_4.5.19+dfsg1-3.dsc
 ed5be0a77370a357261ea1269bf5fd38f16b9c79 20191202 
typo3-src_4.5.19+dfsg1.orig.tar.gz
 efceface4bac3418ea926b94314fd8dd6944c149 387525 
typo3-src_4.5.19+dfsg1-3.debian.tar.gz
 8933ef31f8834325729dc1ab0cf8b82ab4dad6f0 20078870 
typo3-src-4.5_4.5.19+dfsg1-3_all.deb
 ed94574bfad2005018a7ce9508bc4bb92038e409 282600 
typo3-database_4.5.19+dfsg1-3_all.deb
 87edafdc8a501cddd79312c12eb5c65d2aa3f090 291074 
typo3-dummy_4.5.19+dfsg1-3_all.deb
 62027f071ef9f47eb7255e6ffabacd55bdad3978 1240 typo3_4.5.19+dfsg1-3_all.deb
Checksums-Sha256: 
 b927aac11f6a2ec93e3e201e87f803c29a272f2400e2ba0e3a92a729a131ccd1 2056 
typo3-src_4.5.19+dfsg1-3.dsc
 f70e438647d69d4fce4b34d09043e3225311e1b418d312f2ff5ba541494e366e 20191202 
typo3-src_4.5.19+dfsg1.orig.tar.gz
 2edd1f4850a92d14ebf30af42fdf4de340de350d3ac3fbf7e9050507e580921c 387525 
typo3-src_4.5.19+dfsg1-3.debian.tar.gz
 f6a9faf5f29272f85ed9f213580f49e16e36bdc68bae42494fa5d07def6a023a 20078870 
typo3-src-4.5_4.5.19+dfsg1-3_all.deb
 9fdf2f13c3c45f4e55226ce33ed34fdae062392367e4afc3576cf36bfb6c44b6 282600 
typo3-database_4.5.19+dfsg1-3_all.deb
 a51c4968e9d44df0267d5af391534eabf4e4f2792d1876364e1a15f405c0bd18 291074 
typo3-dummy_4.5.19+dfsg1-3_all.deb
 ce7da55c9043e961a41f72d92d13467f3c702ee2e9835274484c59d1634d2adc 1240 
typo3_4.5.19+dfsg1-3_all.deb
Files: 
 518517441795777386fcbcd2cdae6c95 2056 web optional typo3-src_4.5.19+dfsg1-3.dsc
 14ba987b34e6a3decab0004b42083fb6 20191202 web optional 
typo3-src_4.5.19+dfsg1.orig.tar.gz
 2038ba3110d0abe07e6620691c2ec519 387525 web optional 
typo3-src_4.5.19+dfsg1-3.debian.tar.gz
 c983ca3c6dde77c0cedd396cd44ee309 20078870 web optional 
typo3-src-4.5_4.5.19+dfsg1-3_all.deb
 82d120547b574b99a4c844c26eaeb8de 282600 web optional 
typo3-database_4.5.19+dfsg1-3_all.deb
 164571f35a0f98199b8a102d06a9b710 291074 web optional 
typo3-dummy_4.5.19+dfsg1-3_all.deb
 e62e9f49e7ac686fdd254a17d905b2b1 1240 web optional typo3_4.5.19+dfsg1-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIVAwUBUJ6Aw41SzelRF+EZAQr4fA//YPWwyXZXCVru2//3pGJOOc42X0bConUu
OPIgD1ODNhdXLMGRUkD7897ViUawj+ZM0xDASdGPP531+KRkv/uI/Wr5sQejobia
CO2qD7Jc0OOmr5/0kIhq2QmH5WtLT2MOwLdoJkvaMKbUqpRjlTjZNadfdQO5oNjU
YV7p2arydbW1a94C9/awJ2gbSQ6oXnSsaD+50oATapN3DS9Xt000GU3Kk+8zrQoc
63xwxDt9OSe25lUn6ti+3spUZMAMTN8SoItEmJmP/p39AR/hBQSY/4vGls6RmpsU
nkZ3O5KlDAtCw0wqeKdAIEiIHN4ebRv+8VLKefY5tM87b0x5WlAAXz1uu2xy6+xP
imhAeSIhbY2kjNWqjHyZl3xkOcHgIbsooORJJUediFMOxDQP4W4oUZncnUplwYtP
f+rxRmJgxSXQetKJWPHGklDcqGWyOryc0tqjmjUd8jasC9FkNthVCfglHoCHNa/5
yj5sBidgwp/MJOpSeEe8Mhs+jUFc+IVcFcK4Z6NbaTRR15nXoZSz6NtIZymL+dL9
RZiRFhjKqkyKBTcwe5cHirL0FUA+WKVtFCVZwtTMUSz+bRzS/+5t/cYc2uAFu4BJ
mtvmX+AzbXbiQLNeeZGtWygHXlUybmJNWi6m7JUkKE5bcL/+CvvexObnK+SlU4fD
41OWFYPkeFA=
=29/w
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to