Hi there ! There has been found a security vulnerability in typo3 4.0.2 currently located in testing. You can find further information here:
http://typo3.org/teams/security/security-bulletins/typo3-20070221-1/ A bug has been filed against the packages: #412019. I fixed that hole and made new packages (see debdiff in attachment). Where should i ask my sponsor Daniel Baumann to upload the fixed packages to? Please set CC to me, because im not subscribed to this list. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/key.asc Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15
diff -u typo3-src-4.0.2+debian/debian/changelog typo3-src-4.0.2+debian/debian/changelog --- typo3-src-4.0.2+debian/debian/changelog +++ typo3-src-4.0.2+debian/debian/changelog @@ -1,3 +1,10 @@ +typo3-src (4.0.2+debian-3) testing; urgency=medium + + * Fixed security problem "TYPO3 Security Bulletin 20070221-1: Email header + injection" with patch taken from 4.0.5. (Closes: 412019) + + -- Christian Welzel <[EMAIL PROTECTED]> Thu, 22 Feb 2007 22:30:00 +0100 + typo3-src (4.0.2+debian-2) testing; urgency=high * Fixed security problem in rtehtmlarea extension with patch from typo3-src diff -u typo3-src-4.0.2+debian/debian/patches/00list typo3-src-4.0.2+debian/debian/patches/00list --- typo3-src-4.0.2+debian/debian/patches/00list +++ typo3-src-4.0.2+debian/debian/patches/00list @@ -1,0 +2 @@ +02-SecBull-20070221-1 only in patch2: unchanged: --- typo3-src-4.0.2+debian.orig/debian/patches/02-SecBull-20070221-1.dpatch +++ typo3-src-4.0.2+debian/debian/patches/02-SecBull-20070221-1.dpatch @@ -0,0 +1,84 @@ +#!/bin/sh /usr/share/dpatch/dpatch-run +## 02-SecBull-20070221-1.dpatch by Christian Welzel <[EMAIL PROTECTED]> +## +## DP: fix for TYPO3 Security Bulletin 20070221-1: Email header injection + [EMAIL PROTECTED]@ + +diff -Naur typo3_src-4.0.2_old/t3lib/class.t3lib_formmail.php typo3_src-4.0.2/t3lib/class.t3lib_formmail.php +--- typo3_src-4.0.2_old/t3lib/class.t3lib_formmail.php 2006/07/17 16:38:30 1646 ++++ typo3_src-4.0.2/t3lib/class.t3lib_formmail.php 2007/02/21 04:39:40 2144 +@@ -68,6 +68,7 @@ + */ + class t3lib_formmail extends t3lib_htmlmail { + var $reserved_names = 'recipient,recipient_copy,auto_respond_msg,redirect,subject,attachment,from_email,from_name,replyto_email,replyto_name,organisation,priority,html_enabled,quoted_printable,submit_x,submit_y'; ++ var $dirtyHeaders = array(); // collection of suspicious header data, used for logging + + + /** +@@ -113,19 +114,28 @@ + // convert form data from renderCharset to mail charset + $val = ($V['subject']) ? $V['subject'] : 'Formmail on '.t3lib_div::getIndpEnv('HTTP_HOST'); + $this->subject = ($convCharset && strlen($val)) ? $GLOBALS['TSFE']->csConvObj->conv($val,$GLOBALS['TSFE']->renderCharset,$this->charset) : $val; ++ $this->subject = $this->sanitizeHeaderString($this->subject); + $val = ($V['from_name']) ? $V['from_name'] : (($V['name'])?$V['name']:''); + $this->from_name = ($convCharset && strlen($val)) ? $GLOBALS['TSFE']->csConvObj->conv($val,$GLOBALS['TSFE']->renderCharset,$this->charset) : $val; ++ $this->from_name = $this->sanitizeHeaderString($this->from_name); ++ $this->from_name = preg_match( '/\s|,/', $this->from_name ) >= 1 ? '"'.$this->from_name.'"' : $this->from_name; + $val = ($V['replyto_name']) ? $V['replyto_name'] : $this->from_name; + $this->replyto_name = ($convCharset && strlen($val)) ? $GLOBALS['TSFE']->csConvObj->conv($val,$GLOBALS['TSFE']->renderCharset,$this->charset) : $val; ++ $this->replyto_name = $this->sanitizeHeaderString($this->replyto_name); ++ $this->replyto_name = preg_match( '/\s|,/', $this->replyto_name ) > 1 ? '"'.$this->replyto_name.'"' : $this->replyto_name; + $val = ($V['organisation']) ? $V['organisation'] : ''; + $this->organisation = ($convCharset && strlen($val)) ? $GLOBALS['TSFE']->csConvObj->conv($val,$GLOBALS['TSFE']->renderCharset,$this->charset) : $val; ++ $this->organisation = $this->sanitizeHeaderString($this->organisation); + + $this->from_email = ($V['from_email']) ? $V['from_email'] : (($V['email'])?$V['email']:''); ++ $this->from_email = t3lib_div::validEmail($this->from_email) ? $this->from_email : ''; + $this->replyto_email = ($V['replyto_email']) ? $V['replyto_email'] : $this->from_email; ++ $this->replyto_email = t3lib_div::validEmail($this->replyto_email) ? $this->replyto_email : ''; + $this->priority = ($V['priority']) ? t3lib_div::intInRange($V['priority'],1,5) : 3; + + // Auto responder. + $this->auto_respond_msg = (trim($V['auto_respond_msg']) && $this->from_email) ? trim($V['auto_respond_msg']) : ''; ++ $this->auto_respond_msg = $this->sanitizeHeaderString($this->auto_respond_msg); + + $Plain_content = ''; + $HTML_content = '<table border="0" cellpadding="2" cellspacing="2">'; +@@ -173,6 +183,13 @@ + if ($V['recipient_copy']) { + $this->recipient_copy = trim($V['recipient_copy']); + } ++ // log dirty header lines ++ if ($this->dirtyHeaders) { ++ t3lib_div::sysLog( 'Possible misuse of t3lib_formmail: see TYPO3 devLog', 'Core', 3 ); ++ if ($GLOBALS['TYPO3_CONF_VARS']['SYS']['enable_DLOG']) { ++ t3lib_div::devLog( 't3lib_formmail: '. t3lib_div::arrayToLogString($this->dirtyHeaders, '', 200 ), 'Core', 3 ); ++ } ++ } + } + } + +@@ -201,6 +218,22 @@ + return true; + } else { return false;} + } ++ ++ ++ /** ++ * Checks string for suspicious characters ++ * ++ * @param string String to check ++ * @return string Valid or empty string ++ */ ++ function sanitizeHeaderString ($string) { ++ $pattern = '/[\r\n\f\e]/'; ++ if (preg_match($pattern, $string) > 0) { ++ $this->dirtyHeaders[] = $string; ++ $string = ''; ++ } ++ return $string; ++ } + } + +