Detections
Analytics

FreeBSD : typo3 -- multiple vulnerabilities (ef013039-89cd-11e8-84e9-00e04c1ea73d)

high Nessus Plugin ID 111142

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Typo3 core team reports :

It has been discovered that TYPO3's Salted Password system extension (which is a mandatory system component) is vulnerable to Authentication Bypass when using hashing methods which are related by PHP class inheritance. In standard TYPO3 core distributions stored passwords using the blowfish hashing algorithm can be overridden when using MD5 as the default hashing algorithm by just knowing a valid username. Per default the Portable PHP hashing algorithm (PHPass) is used which is not vulnerable.

Phar files (formerly known as 'PHP archives') can act als self extracting archives which leads to the fact that source code is executed when Phar files are invoked. The Phar file format is not limited to be stored with a dedicated file extension - 'bundle.phar' would be valid as well as 'bundle.txt' would be. This way, Phar files can be obfuscated as image or text file which would not be denied from being uploaded and persisted to a TYPO3 installation. Due to a missing sanitization of user input, those Phar files can be invoked by manipulated URLs in TYPO3 backend forms. A valid backend user account is needed to exploit this vulnerability. In theory the attack vector would be possible in the TYPO3 frontend as well, however no functional exploit has been identified so far.

Failing to properly dissociate system related configuration from user generated configuration, the Form Framework (system extension 'form') is vulnerable to SQL injection and Privilege Escalation. Basically instructions can be persisted to a form definition file that were not configured to be modified - this applies to definitions managed using the form editor module as well as direct file upload using the regular file list module. A valid backend user account as well as having system extension form activated are needed in order to exploit this vulnerability.

It has been discovered that the Form Framework (system extension 'form') is vulnerable to Insecure Deserialization when being used with the additional PHP PECL package 'yaml', which is capable of unserializing YAML contents to PHP objects. A valid backend user account as well as having PHP setting 'yaml.decode_php' enabled is needed to exploit this vulnerability.

Solution

Update the affected packages.

See Also

https://typo3.org/security/advisory/typo3-core-sa-2018-001/

https://typo3.org/security/advisory/typo3-core-sa-2018-002/

https://typo3.org/security/advisory/typo3-core-sa-2018-003/

https://typo3.org/security/advisory/typo3-core-sa-2018-004/

http://www.nessus.org/u?fc40379c

Plugin Details

Severity: High

ID: 111142

File Name: freebsd_pkg_ef01303989cd11e884e900e04c1ea73d.nasl

Version: 1.2

Type: local

Published: 7/18/2018

Updated: 11/10/2018

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:typo3-7, p-cpe:/a:freebsd:freebsd:typo3-8, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 7/17/2018

Vulnerability Publication Date: 7/12/2018