oss-sec mailing list archives
Re: [Ticket#2013081510000021] [oss-security] CVE request: TYPO3 remote code execution by arbitrary file creation TYPO3-CORE-SA-201 [...]
From: TYPO3 Security Team <security () typo3 org>
Date: Thu, 15 Aug 2013 08:28:09 +0200
Dear Kurt, 08/15/2013 05:10 - Kurt Seifried wrote:
so it sounds like embedded third party software, there appear to be some older CVE's for flowplayer, I'm guessing it might be one of these? Can the typo3 people please provide details (e.g. code patches) of exactly what they fixed?
Yes, third party software flowplayer and Audio Player. Here are the changes: https://review.typo3.org/22711 https://review.typo3.org/22710 The related older CVEs are already mentioned in the advisory, namely: CVE-2011-3642, CVE-2013-1464
For the second one "Vulnerable subcomponent: Backend File Upload / File Abstraction Layer" code execution please use CVE-2013-4250 for this issue.
Thanks. I updated the advisory accordingly. Regards, Helmut Hummel Member of the TYPO3 Security Team -- TYPO3 Security Team homepage: http://typo3.org/teams/security/ E-Mail: security () typo3 org Please note: When replying to this e-mail, please leave the header intact.
Current thread:
- CVE request: TYPO3 remote code execution by arbitrary file creation TYPO3-CORE-SA-2013-002 Henri Salo (Aug 14)
- Re: CVE request: TYPO3 remote code execution by arbitrary file creation TYPO3-CORE-SA-2013-002 Kurt Seifried (Aug 14)
- Re: [Ticket#2013081510000021] [oss-security] CVE request: TYPO3 remote code execution by arbitrary file creation TYPO3-CORE-SA-201 [...] TYPO3 Security Team (Aug 14)
- Re: CVE request: TYPO3 remote code execution by arbitrary file creation TYPO3-CORE-SA-2013-002 Kurt Seifried (Aug 14)