Currently the posts are filtered by: TYPO3
Reset this filter to see all posts.

Reasons for bugs being introduced with security fixes

Posted in advisory/TYPO3/ on July 31, 2009 by Marcus.

This posting is mainly addressing TYPO3 extensions.


If you are using TYPO3 extension CoolURI and you've followed the TYPO3 Security Team's advice to upgrade in latest advisory (TYPO3-SA-2009-010), you might notice problems with calling a website without parameters.

I'm picking this specific issue to explain why such problems happen from time to time.

 

If you already had to deal with the TYPO3 Security Team, you might remember we are stressing that a small numbers of rules are being followed. Important ones are:

  • Do only least necessary modifications to the code to fix a vulnerability!
  • Do only integrate security modifications in the new extension version that is going to be uploaded to the TER - no normal bugfixes, no new features.

With these rules we're trying to make sure that every TYPO3 user is able to upgrade/install the new extension version. In a perfect world users won't recognize any change to the previous version - only a security hole would be closed.

So why bugs still appear although such rules are in place?

  • Once being informed, extension developers on their own fix a vulnerability and upload the new extension version without further communication/discussion/consulting with the TYPO3 Security Team.
  • Extension developers aren't reading our mails and are sneaking in further non-security related code changes with the newly released extension version.
  • Security fixes might have side effects. With a complex extension the Security Team is unable to test every functionality the extension is providing.
  • Humans do make errors.

We're basically depending on the goodwill of extension developers and hope that they understand their extensions and have well-tested their security-fix in the scope of the complete extension. We make sure that the reported vulnerability is fixed.

I hope you understand and accept the above mentioned reasons for such bugs. We're doing our best to prevent these bugs. Please do never hesitate to follow our advices in TYPO3 Security bulletins - you would risk a compromised TYPO3 installation.

 

Btw., the CoolURI issue happened because the extension developer did not only fix the security vulnerability but also integrated further code changes and did the fixing on his own.

Permalink | Comments: 0
Tags:  TYPO3 Security Blog
Views: 0

Policy of least disclosure explained

Posted in advisory/TYPO3/ on July 24, 2009 by Marcus.

On the TYPO3 Security Team website section you'll find a paragraph on incident handling. There it is mentioned that the TYPO3 Security Team does follow a policy of least disclosure. Have you ever asked yourself what this actually means?

For the TYPO3 Security Team this means that the team will publish bulletins/advisories for every vulnerability in TYPO3 Core or in TER listed extensions that has been reported and finally fixed. The bulletin itself will only contain the least necessary facts of vulnerabilities that are needed to know if a user might be affected and what the possible impact would be.

The TYPO3 Security Team will not publish exploit or proof of concept code; such critical information is only exchanged between the reporter of the vulnerability, the TYPO3 Security Team itself and either the TYPO3 Core Team or the extension maintainer.

 

The benefits for TYPO3 user:
By subscribing to the announce mailinglist (more on basic steps in my first things first blog post) you'll be informed about any vulnerability found in TYPO3 Core or TER listed extensions. There's no ready-to-be-used exploit code which means that a Black Hat needs to put some efforts in thinking and coding before he's able to exploit a vulnerability.

Needs and expectations by the TYPO3 Security Team:
In order to maintain this least disclosure policy, the TYPO3 Security Team expects to get involved in every vulnerability fixing process. So please contact us if

  • you've discovered a vulnerability in TYPO3 Core or a TER listed extension
  • you've been reported or found by yourself a vulnerability in your own extension

The TYPO3 Security Team has created an Extension Security Policy some time ago. Please make sure you've read it!

Permalink | Comments: 0
Tags:  TYPO3 Security Blog
Views: 0

New TYPO3 releases (patch versions)

Posted in TYPO3/ on July 16, 2009 by Marcus.

No security fixes but security improvements

By today, new TYPO3 releases (patch versions 4.0.13, 4.1.12, 4.2.8) have been published.

Although there are no security fixes in them, they contain desirable security improvements as listed below:

  • file deny pattern is applied to jumpurl (4-0, 4-1, 4-2)
  • automatic deletion of ENABLE_INSTALL_TOOL file (4-1, 4-2)

Before, jumpurl allowed to download any file ressource (if you provide the correct validation hash). Now, by default PHP files are no longer able to be downloaded and access to files below typo3conf directory is completely denied.

A lot of TYPO3 admins forgot to delete the ENABLE_INSTALL_TOOL file after using the install tool which exposes a risk. I've covered that by a blog post and recommended to set up a cronjob for it. Now, this file is automatically deleted if it's older than one hour. During development you can suppress this behaviour by setting the file content to "KEEP_FILE".
Update: Michael Stucki has written a nice posting about this new behaviour on buzz.typo3.org.

Permalink | Comments: 0
Tags:  TYPO3 Security Blog
Views: 0

Restructured team pages on typo3.org

Posted in TYPO3/ on July 05, 2009 by Marcus.

Some days ago, we've restructured the TYPO3 Security Team section on typo3.org. In specific we reduced the number of menu items to a minimum. Additionally there's a new page called Resources with all kind of helpful information for TYPO3 administrators and developers. You'll find, among others, references to security related tutorials, slides and videos.

If you are interested in TYPO3 security this page is now a nice starting point.

What's your opinion? What is still missing? Are there any resources on the internet that should be referenced to from the TYPO3 Security Team pages? Also helping hands on improving the (slightly outdated but still valid) Security Cookbook are highly appreaciated.

Please help us to support you on TYPO3 security!

Permalink | Comments: 0
Tags:  TYPO3 Security Blog
Views: 0

Tell me your password

Posted in TYPO3/ on May 18, 2009 by Marcus.

Move credentials outside of the webroot

I've created a new tutorial that shows how to move credentials outside of the webroot. By default TYPO3 stores any kind of configuration into file typo3conf/localconf.php. Besides graphics configuration, etc... also database username/password and the encryption key is stored in there.

Although there's no way to get hold of this data as website user, I personal don't like the approach to store data that is intented to kept private inside the webroot.

The tutorial does explain the reasons in more detail. Have a look!

Permalink | Comments: 0
Tags: snippet, typo3
Views: 0

Categories

  • advisory(9)
  • book(1)
  • [-]database(1)
  • exploit(1)
  • hacks(2)
  • others(6)
  • PHP(1)
  • TYPO3(23)

Tag cloud