Bug#749215: marked as done (TYPO3-CORE-SA-2014-001: Multiple Vulnerabilities in TYPO3 CMS)
Your message dated Wed, 04 Jun 2014 07:48:22 + with message-id and subject line Bug#749215: fixed in typo3-src 4.5.19+dfsg1-5+wheezy3 has caused the Debian Bug report #749215, regarding TYPO3-CORE-SA-2014-001: Multiple Vulnerabilities in TYPO3 CMS to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 749215: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749215 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: typo3-src Severity: critical Tags: security It has been discovered that TYPO3 CMS is vulnerable to Cross-Site Scripting, Insecure Unserialize, Improper Session Invalidation, Authentication Bypass, Information Disclosure and Host Spoofing. Component Type: TYPO3 CMS Overall Severity: Medium Release Date: May 22, 2014 Vulnerability Type: Host Spoofing Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13, 6.1.0 to 6.1.8 and 6.2.0 to 6.2.2 Severity: Medium CVE: not assigned yet Problem Description: Failing to properly validate the HTTP host-header TYPO3 CMS is susceptible to host spoofing. TYPO3 uses the HTTP host-header to generate absolute URLs in several places like 404 handling, http(s) enforcement, password reset links and many more. Since the host header itself is provided by the client it can be forged to any value, even in a name based virtual hosts environment. A blog post describes this problem in great detail. Vulnerable subcomponent: Color Picker Wizard Vulnerability Type: Insecure Unserialize Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13 and 6.1.0 to 6.1.8 Severity: Low CVE: not assigned yet Problem Description: Failing to validate authenticity of a passed serialized string, the color picker wizard is susceptible to insecure unserialize, allowing authenticated editors to unserialize arbitrary PHP objects. Vulnerable subcomponent: Backend Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13, 6.1.0 to 6.1.8 and 6.2.0 to 6.2.2 Severity: Low CVE: not assigned yet Problem Description: Failing to properly encode user input, several backend components are susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML or JavaScript by crafting URL parameters. Vulnerable subcomponent: ExtJS Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13, 6.1.0 to 6.1.8 and 6.2.0 to 6.2.2 Severity: Medium CVE: not assigned yet Problem Description: The ExtJS JavaScript framework that is shipped with TYPO3 also delivers a flash file to show charts. This file is susceptible to Cross-Site Scripting. This vulnerability can be exploited without any authentication. Vulnerable subcomponent: Authentication Vulnerability Type: Authentication Bypass Affected Versions: All TYPO3 versions not configured to use salted passwords Severity: medium CVE: not assigned yet Problem Description: When the use of salted password is disabled (which is enabled by default since TYPO3 4.6 and required since TYPO3 6.2) passwords for backend access are stored as md5 hash in the database. This hash (e.g. taken from a successful SQL injection) can be used directly to authenticate backend users without knowing or reverse engineering the password. -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 --- End Message --- --- Begin Message --- Source: typo3-src Source-Version: 4.5.19+dfsg1-5+wheezy3 We believe that the bug you reported is fixed in the latest version of typo3-src, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 749...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christian Welzel (supplier of updated typo3-src package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Sun, 25 May 2014 11:00:00 +0200 Source: typo3-src Binary: typo3-src-4.5 typo3-database typo3-dummy typo3 Architecture: source all Version: 4.5.19+dfsg1-5+wheezy3 Distribution: wheezy-security Urgency: medium Maintainer: Christian
Bug#749215: marked as done (TYPO3-CORE-SA-2014-001: Multiple Vulnerabilities in TYPO3 CMS)
Your message dated Sun, 25 May 2014 09:41:34 + with message-id and subject line Bug#749215: fixed in typo3-src 4.5.34+dfsg1-1 has caused the Debian Bug report #749215, regarding TYPO3-CORE-SA-2014-001: Multiple Vulnerabilities in TYPO3 CMS to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 749215: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749215 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: typo3-src Severity: critical Tags: security It has been discovered that TYPO3 CMS is vulnerable to Cross-Site Scripting, Insecure Unserialize, Improper Session Invalidation, Authentication Bypass, Information Disclosure and Host Spoofing. Component Type: TYPO3 CMS Overall Severity: Medium Release Date: May 22, 2014 Vulnerability Type: Host Spoofing Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13, 6.1.0 to 6.1.8 and 6.2.0 to 6.2.2 Severity: Medium CVE: not assigned yet Problem Description: Failing to properly validate the HTTP host-header TYPO3 CMS is susceptible to host spoofing. TYPO3 uses the HTTP host-header to generate absolute URLs in several places like 404 handling, http(s) enforcement, password reset links and many more. Since the host header itself is provided by the client it can be forged to any value, even in a name based virtual hosts environment. A blog post describes this problem in great detail. Vulnerable subcomponent: Color Picker Wizard Vulnerability Type: Insecure Unserialize Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13 and 6.1.0 to 6.1.8 Severity: Low CVE: not assigned yet Problem Description: Failing to validate authenticity of a passed serialized string, the color picker wizard is susceptible to insecure unserialize, allowing authenticated editors to unserialize arbitrary PHP objects. Vulnerable subcomponent: Backend Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13, 6.1.0 to 6.1.8 and 6.2.0 to 6.2.2 Severity: Low CVE: not assigned yet Problem Description: Failing to properly encode user input, several backend components are susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML or JavaScript by crafting URL parameters. Vulnerable subcomponent: ExtJS Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13, 6.1.0 to 6.1.8 and 6.2.0 to 6.2.2 Severity: Medium CVE: not assigned yet Problem Description: The ExtJS JavaScript framework that is shipped with TYPO3 also delivers a flash file to show charts. This file is susceptible to Cross-Site Scripting. This vulnerability can be exploited without any authentication. Vulnerable subcomponent: Authentication Vulnerability Type: Authentication Bypass Affected Versions: All TYPO3 versions not configured to use salted passwords Severity: medium CVE: not assigned yet Problem Description: When the use of salted password is disabled (which is enabled by default since TYPO3 4.6 and required since TYPO3 6.2) passwords for backend access are stored as md5 hash in the database. This hash (e.g. taken from a successful SQL injection) can be used directly to authenticate backend users without knowing or reverse engineering the password. -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 --- End Message --- --- Begin Message --- Source: typo3-src Source-Version: 4.5.34+dfsg1-1 We believe that the bug you reported is fixed in the latest version of typo3-src, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 749...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christian Welzel (supplier of updated typo3-src package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 25 May 2014 10:00:00 +0200 Source: typo3-src Binary: typo3-src-4.5 typo3-database typo3-dummy typo3 Architecture: source all Version: 4.5.34+dfsg1-1 Distribution: unstable Urgency: high Maintainer: Christian Welzel Changed-By: Christian