Currently the posts are filtered by: advisory
Reset this filter to see all posts.

TYPO3-SA-2010-020

Posted in advisory/TYPO3/ on October 05, 2010 by Marcus.

Tomorrow, advisory TYPO3-SA-2010-020 will be published together with new TYPO3 packages. Some of you will certainly complain about a security fix again.

But keep in mind that there are also security fixes for your desktop software (browser, plugins like flashplayer, office software, etc..). Keeping software up-to-date is necessary to stay secure nowadays.

Instead of complaints you should really appreciate the work we do. Security fixes are the visual results of the TYPO3 Association's effort to deliver not only a functional but also a secure CMS.

I'd like to say thanks to all those who report vulnerabilities and such help to have a secure CMS. Especially thanks to all who communicated, evaluated reports, created patches or reviewed them - members of the TYPO3 Security Team and TYPO3 Core Team. Only these teams really know the huge amount of time and efforts that are put in such security fixes.

Besides, I'd like to highlight that you, user of TYPO3, have a really professionally working and highly dedicated TYPO3 Security Team. Be proud of this! I'm personally very satisfied with the composition of the team a.k.a team members, the way we work, the things we have achieved and our tasks in the near future.

So please install the security fixes and think about an improved installation instead of "again a security fix". Better install security fixes now than clean up a compromised TYPO3 installation later due to missing security patches.

A friendly reminder: TYPO3 is open source and the TYPO3 Association non-profit. Only with your donations or memberships you help to keep this great CMS alive and secure.

Permalink | Comments: 2
Tags:  typo3
Views: 0

Marketing-FUD vs. real world: Security vulnerabilities discovered in bilobaCMS

Posted in advisory/ on August 26, 2010 by Marcus.

Update (Sept. 3, 2010): Originally, there was an other URL referenced for the below mentioned press article. This was no longer available and the link replaced by an article hosted at another domain.

On August 18, 2010 Biloba IT, vendor of a CMS called bilobaCMS, published a press article (DE) to promote its Content Management System.

Oddly enough, they mention that Microsoft recently has stopped support for IE6 and TYPO3 Association support for 4.1 branch. Don't ask me why they mention a browser at all! Version 6 of Internet Explorer appeared in August 2001 which means Microsoft had provided support for remarkable 9 years. In the meantime Internet Explorer 7 and 8 are available. TYPO3 4.1.0 appeared in March 2007 and therefore TYPO3 Association had provided more that 3 years of support. Successors are TYPO3 4.2, TYPO3 4.3 and TYPO3 4.4. Declaring end of life for a product is just a normal part of its lifecycle.

Surprisingly, the vendor of bilobaCMS claims that software quality and security of (proprietary) CMSs is higher than Open Source systems because development is done by a company.

As you know, I'm interested in software security and therefore was curious how much "higher" security of bilobaCMS is.

Dear readers, calm down! bilobaCMS not surprisingly suffers from the same typical vulnerabities like other CMS (also Open Source), too.

On August 19, 2010 I checked out their demo system (bilobaCMS 5.0) and quickly discovered a reflective Cross-Site Scripting vulnerability in the search form and a persistent Cross-Site Scripting vulnerability in the gallery feature. These vulnerability were disclosed to the vendor on the same day. Some hours later, the vendor replied and stated that the reported vulnerabilities have been fixed, customers informed and patches rolled out. Sadly, vulnerabilities and their fixes are not communicated through the vendor's website so that website visitors are not aware of such issues.

I'd like to highlight that the vendor obviously provided patches in a very short period of time. This is something to be proud of and worth to mention in press articles instead of blaming Open Source for no reason.

What we have learned: Choosing a proprietary software over a Open Source one does not necessarily provide higher security standards!

Permalink | Comments: 2
Tags:  TYPO3 Security Blog
Views: 0

No preannouncements for TYPO3 security advisories

Posted in advisory/TYPO3/ on March 04, 2010 by Marcus.

Every once in a while the TYPO3 Security Team is being asked to generally use preannouncements. Such preannouncements, to be published days before the actual TYPO3 Security bulletin, seem to be a nice way to be prepared for a necessary update of the TYPO3 Core, the base platform.

We discussed this suggestions but came to the conclusion that we better stick to the current procedure. Following is a list of points you need to understand.

  • Preannouncements for third-party TYPO3 extensions seem to be not necessary. Most time, you won't be affected by extension issues as you aren't using any of the mentioned extensions.
  • We believe and know that upgrading (w/o testing) alone of the TYPO3 Core won't take longer than 5 minutes per server.
  • We are not aware of any other Open Source project that has preannouncements in general use.
  • Preannouncements will become useless again, if we need to late-postpone or pre-release a new TYPO3 Core version. Valid reasons would be regressions or exploits in the wild.
  • Your TYPO3 installation might not be vulnerable because of not using an extension in question (recent openid vulnerability etc..) or the exploitability risk is very low (e.g. XSS in the backend with another vulnerability as mandatory prerequisite).

Last but not least, preannouncements would be another task to be done by the TYPO3 Security Team. The creation/review/publication of the bulletin takes hours (not taking any work on the issue itself into account). We're mostly interested in reducing our work load; after all, most of us do this work for free. However, preannouncements would mean the contrary and the overhead does not compensate the to be expected benefits.

Nonethless, for critical security issues we will of course proceed with preannouncements which has been done several times in the past.

Permalink | Comments: 0
Tags:  TYPO3 Security Blog
Views: 0

TYPO3 security fixes for phpmyadmin (PMASA-2009-6)

Posted in advisory/ on October 15, 2009 by Marcus.

On October 13, 2009 developers of phpMyAdmin have published an advisory (PMASA-2009-6) for XSS and SQL Injection vulnerabilities in their product.

Today, on October 15, agency mehrwert - the maintainer of TYPO3 extension phpMyAdmin - has published new packages that fix above mentioned vulnerabilities:

 

(Source: mehrwert's original news item [DE])

Permalink | Comments: 0
Tags:  TYPO3 Security Blog
Views: 0

Reasons for bugs being introduced with security fixes

Posted in advisory/TYPO3/ on July 31, 2009 by Marcus.

This posting is mainly addressing TYPO3 extensions.


If you are using TYPO3 extension CoolURI and you've followed the TYPO3 Security Team's advice to upgrade in latest advisory (TYPO3-SA-2009-010), you might notice problems with calling a website without parameters.

I'm picking this specific issue to explain why such problems happen from time to time.

 

If you already had to deal with the TYPO3 Security Team, you might remember we are stressing that a small numbers of rules are being followed. Important ones are:

  • Do only least necessary modifications to the code to fix a vulnerability!
  • Do only integrate security modifications in the new extension version that is going to be uploaded to the TER - no normal bugfixes, no new features.

With these rules we're trying to make sure that every TYPO3 user is able to upgrade/install the new extension version. In a perfect world users won't recognize any change to the previous version - only a security hole would be closed.

So why bugs still appear although such rules are in place?

  • Once being informed, extension developers on their own fix a vulnerability and upload the new extension version without further communication/discussion/consulting with the TYPO3 Security Team.
  • Extension developers aren't reading our mails and are sneaking in further non-security related code changes with the newly released extension version.
  • Security fixes might have side effects. With a complex extension the Security Team is unable to test every functionality the extension is providing.
  • Humans do make errors.

We're basically depending on the goodwill of extension developers and hope that they understand their extensions and have well-tested their security-fix in the scope of the complete extension. We make sure that the reported vulnerability is fixed.

I hope you understand and accept the above mentioned reasons for such bugs. We're doing our best to prevent these bugs. Please do never hesitate to follow our advices in TYPO3 Security bulletins - you would risk a compromised TYPO3 installation.

 

Btw., the CoolURI issue happened because the extension developer did not only fix the security vulnerability but also integrated further code changes and did the fixing on his own.

Permalink | Comments: 0
Tags:  TYPO3 Security Blog
Views: 0

Categories

  • advisory(9)
  • book(1)
  • [-]database(1)
  • exploit(1)
  • hacks(2)
  • others(6)
  • PHP(1)
  • TYPO3(23)

Tag cloud