Currently the posts are filtered by: advisory
Reset this filter to see all posts.

Policy of least disclosure explained

Posted in advisory/TYPO3/ on July 24, 2009 by Marcus.

On the TYPO3 Security Team website section you'll find a paragraph on incident handling. There it is mentioned that the TYPO3 Security Team does follow a policy of least disclosure. Have you ever asked yourself what this actually means?

For the TYPO3 Security Team this means that the team will publish bulletins/advisories for every vulnerability in TYPO3 Core or in TER listed extensions that has been reported and finally fixed. The bulletin itself will only contain the least necessary facts of vulnerabilities that are needed to know if a user might be affected and what the possible impact would be.

The TYPO3 Security Team will not publish exploit or proof of concept code; such critical information is only exchanged between the reporter of the vulnerability, the TYPO3 Security Team itself and either the TYPO3 Core Team or the extension maintainer.

 

The benefits for TYPO3 user:
By subscribing to the announce mailinglist (more on basic steps in my first things first blog post) you'll be informed about any vulnerability found in TYPO3 Core or TER listed extensions. There's no ready-to-be-used exploit code which means that a Black Hat needs to put some efforts in thinking and coding before he's able to exploit a vulnerability.

Needs and expectations by the TYPO3 Security Team:
In order to maintain this least disclosure policy, the TYPO3 Security Team expects to get involved in every vulnerability fixing process. So please contact us if

  • you've discovered a vulnerability in TYPO3 Core or a TER listed extension
  • you've been reported or found by yourself a vulnerability in your own extension

The TYPO3 Security Team has created an Extension Security Policy some time ago. Please make sure you've read it!

Permalink | Comments: 0
Tags:  TYPO3 Security Blog
Views: 0

VIGILANCE-VUL-8839 - not a vulnerability

Posted in advisory/ on July 07, 2009 by Marcus.

Today, I stumbled across VIGILANCE-VUL-8839, a newly published to-be advisory covering TYPO3 bugtracker issue #0011369.
Attentive readers of this blog are aware that I've covered exactly this issue in my recent posting on new TYPO3 releases. I also mentioned that this is not a vulnerability. It seems somebody is of different opinion. Challenge accepted.

So why is this not a vulnerability:

The file deny pattern is generally only applied when uploading files onto the TYPO3 system. Such user files matching this pattern won't exist on a TYPO3 installation. The pattern itself is able to be modified by a TYPO3 administrator; by default it prevents php files to be uploaded.
Jumpurl would allow to access all files the web server user account has access to. Prerequisite: a mandatory token is supplied with such request that matches the one TYPO3 is expecting.

Therefore you will only be able to access files with jumpurl if the system is configured to expose such files. AFAIK, this is only used for e.g. PDF documents referenced by newsletters. Such jumpurl links with a valid token are only created by TYPO3 when an author/admin consciously decides to make specific files available.

Independent from that, a typical author will never be able to create jumpurl links to the central TYPO3 configuration file (php file ).

What the core team (with TYPO3 Security Team's approval) has decided:
There's no need at all to (theoretically) allow to create links to this configuration file or configuration directory.

Your system is not more secure after applying the patch! Also the TYPO3 Security Team didn't fix a known vulnerability by that patch. The Security Team is very focused on TYPO3 Security. If we would have considered this to be a vulnerability, we would have published an advisory.

I hope this is more clear for you now. No need to worry! Thanks for listening.

Permalink | Comments: 2
Tags:  vulnerability
Views: 0

Removal advices in TYPO3 Security Bulletins

Posted in advisory/ on June 19, 2009 by Marcus.

Your requests for vulnerability details

In a recent TYPO3 Security Advisory/Bulletin, the TYPO3 Security team advised to uninstall and delete a vulnerable extension.

This generally only happens when we didn't manage to get in contact with the extension owner. After we've published this bulletin, we were contacted by individuals and web agencies who expressed their wish to fix the vulnerability - mainly because they were using the extension in question.

Whenever the TYPO3 Security Team finds a vulnerability in an extension and is unable to reach the registered extension owner (doesn't reply to our mails, mail address no longer valid), the TYPO3 Security Team advices to uninstall and remove the extension.

We of course are aware of the fact that this extension might be deployed on a lot of TYPO3 systems out. This procedure is not about annoying you at all.

Being unable to contact the extension owner means that the extension is no longer maintained.

No matter how easy it is to fix the vulnerability and that we might patch the extension by ourselves, we'll again face the same situation whenever a further vulnerability in the extension is reported.

The TYPO3 Security Team does not maintain extensions.

It also happened in the past that the extension owner contacted us and was willing to maintain the extension some time after we published the bulletin.

In case we still aren't contacted by the extension owner, we cannot simply

  1. disclose vulnerability details to other users/agencies that use the extension and are willing to maintain it
  2. transfer the extension key to other users/agencies that are willing to maintain the extension


Reasons:
(ad 1) We obviously don't want exploits in the wild and might not be able to put trust in you who has contacted us by email.
(ad 2) The extension owner "owns" the extension. We cannot simply remove the ownership. You might want to contact the TYPO3 Association and ask them to transfer the key to you. Transferrals of keys is not a TYPO3 Security Team task.

Thank you for your understanding.

Permalink | Comments: 5
Tags:  TYPO3 Security Blog
Views: 0

First things first

Posted in advisory/ on April 21, 2009 by Marcus.

Subscribe to the announce mailinglist

As security aware person you want to be informed of security updates. Nothing easier than that. The TYPO3 announce mailinglist is a low traffic list; only common major minor releases are announced besides the important security updates.

On that list, security fixes for the TYPO3 Core and for TYPO3 extensions (available in TER) are announced.

In the past, for severe vulnerabilities and according security fixes pre-announcement have been posted there so that every TYPO3 admin is prepared for immediate action.

So, if you are maintaining TYPO3 websites, please make sure to be subscribed to that list.

Subscribe now!

 

In addition, you might want to subscribe to the Security newsfeed listed on http://news.typo3.org/xml-feeds/

Both, announce mailinglist and security newsfeed are updated when there's a new security advisory. But in case of mail server problems on your side you may want have a backup in place - the security news feed.

Permalink | Comments: 2
Tags:  mailinglist
Views: 1

Categories

  • advisory(9)
  • book(1)
  • [-]database(1)
  • exploit(1)
  • hacks(2)
  • others(6)
  • PHP(1)
  • TYPO3(23)

Tag cloud