Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE-request: TYPO3-CORE-SA-2012-002 XSS in TYPO3 Core
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 17 Apr 2012 23:02:38 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/17/2012 05:54 AM, Henri Salo wrote:
Hello,

Marcus KrauseMember from the TYPO3 Security Team said they did not
yet request CVE-identifier for this vulnerability released today so
here we go.

Announce of XSS:
http://lists.typo3.org/pipermail/typo3-announce/2012/000241.html 
Announce of new versions:
http://lists.typo3.org/pipermail/typo3-announce/2012/000242.html 
Advisory:
http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-002/

 Component Type: TYPO3 Core Affected Versions: 4.4.0 up to 4.4.14,
4.5.0 up to 4.5.14, 4.6.0 up to 4.6.7 and development releases of
the 4.7 branch.

Problem Description: Failing to properly encode the output, the
default TYPO3 Exception Handler is susceptible to Cross-Site
Scripting. We are not aware of a possibilty to exploit this
vulnerability without third party extensions being installed that
put user input in exception messages. However it has come to our
attention that extensions using the extbase MVC framework can be
used to exploit this vulnerability if these extensions accept
objects in controller actions. In general and especially when in
doubt if the above conditions are met, we highly recommend users of
affected versions to update as soon as possible. Imortant Note: In
case you have configured your own exception handler for TYPO3 you
need to make sure that the exception messages are properly encoded
within this exception handler before they are presented.

Solution: Update to the TYPO3 versions 4.4.15, 4.5.15 or 4.6.8 that
fix the problem described! Credits: Credits go to Security Team
Member Helmut Hummel who discovered and reported the issue.

- Henri Salo

Please use CVE-2012-2112 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPjkruAAoJEBYNRVNeJnmTVQEP/3W9irSBzZzZ8gWN4OnDXyXt
PRitXlhSqb81skYWVJZu6sG78cN0qqJB1NOyhI5yaeUb/OnmfuJl7ZTrxau/ZLTi
aRvYJWD0g0wJlSSaRpQCpgOC6besSYx3nsupvFNW5aEUVYQG3J+HXfQX2AeuFaKa
7ikw0So6xVBpfpTJ9JEd9ClxVMv8F88Gb9p3vWSQvzFETQ2HpUd+sb6LfPvQ6xs6
+wJWB7pP0coWHFTD/rTY3r6H1yRP9I0/Cx24ng+VYYhgSpif4aJBALxsRpOLZkq+
/eOg2rYnhSEeYJlbKOKhVaGmMICEkQdC05Y/mGVDkdglLbtYCO/64gEyhqpgm844
ANZE36oPVuxY8xpwcqZz3uku/8WJKD5ww5B8QaeuRXHj1/lp959lmRi+aSlb16Rj
PJwNDEfl0JkM5AnkRpE+uCVMOx2rBgAZn+j/miUWrKVIrsyUdDK5Q4XBR99LlINn
PZ37rTLSHFvW0qrmGWIhIE/Z6/jMqTyWyngT50jm3DkYbeoYk2h7fBZF+jm9nyyZ
nEWrWnsJqTWqT9QRUd9/ALpwTV9x21OWnnOPS9sEbYUZkFTH0GXQo6CtZWmU073A
OePNIIUiz4OgYuEz8nqGfkew7xPNXQ4PX3/JPAit1fhqCHGGnB62+njq5tkZFlKk
aaE09mp8s2d1Q0F+ejP7
=9+d5
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]