about
blog
tutorials
Beware of Subversion leftovers in production websites
Posted in others/ on November 03, 2009 by .
Every once in a while, old and known problems are newly discovered. The same recently happened for the Subversion leftover issue.
If you checkout projects from a Subversion server, subversion creates a ".svn" directory that contains some data. Using this ".svn" folder, subversion is able to determine if local changes have been made, etc ...
In case, your webserver does not reject access to ".svn" folders, a malicious user will have access to listings of webserver directories even if you try to prevent that with the "DirectoryIndex" directive. In addition, a malicious user might get hold of unparsed script code in plain text depending on your webserver configuration.
There are at least two valid solutions:
- Use dedicated command "svn export" for deployments and you'll receive a clean directory tree.
- Reject access to ".svn" folders in your webserver configuration.
A valid entry in your Apache config file (httpd.conf/apache2.conf) would look like this:
#
# Prevents access on SVN specific folders
#
<Directory ~ ".*\.svn">
Order allow,deny
Deny from all
</Directory>
TYPO3 security improvement in v4.3: HTTP only cookies
Posted in TYPO3/ on October 19, 2009 by .
Together with the previously mentioned feature (secure cookie transfer) an additional security enhancement has found its way into TYPO3 Core v4.3:
There's now the possibility to access FE/BE session cookies via HTTP only. With that enabled, it's no longer possible to access these cookies via JavaScript and e.g. retrieve session IDs from them. Current browsers support such declaration and will prevent the JS access to the cookies.
In the past it had been possible for a malicious person to find and exploit a Cross-Site Scripting vulnerability, to get hold of session IDs via JavaScript and to try to authenticate to a TYPO3 installation using these session identifiers.
It is expected that some TER-listed extension might stop working. Therefore, this feature is currently disabled by default. Nonetheless, it will be activated by default at a later point in time. Therefore, you might want to test your installation already today:
To enable and use this new security feature, put
$TYPO3_CONF_VARS['SYS']['cookieHttpOnly'] = true;
into your localconf.php file!
TYPO3 security improvement in v4.3: Secure cookie transfer
Posted in TYPO3/ on October 16, 2009 by .
If you are running a TYPO3 installation that makes use of SSL, following new feature will enhance your website's security (starting with upcoming TYPO3 version 4.3):
You probably know that the HTTP protocol is stateless and therefore sessions try to solve that "problem". TYPO3 uses cookies to exchange session identifiers between server and client.
Currently, if you are running e.g. the TYPO3 Backend (BE) with SSL (HTTPS) enabled and call the BE, the server will issue a cookie with the session ID. This cookie will be transferred over an secured/encrypted channel that prevents an eavesdropper to read the session ID from the cookie. If you call the BE again using standard (insecure) HTTP, your client will transfer the same cookie with the session ID exposed in plain-text for everyone who is sniffing your traffic.
Now, with feature #7461 ("Transfer cookies via SSL only whenever possible") implemented in upcoming TYPO3 v4.3, you can decide if TYPO3 should transfer created cookies only over a secured/encrypted channel or if cookies, initially issued by the server over a secured/encrypted channel should again only be transferred (by the client a.k.a. your browser) over a secured/encrypted channel.
This is done by setting a specific cookie declaration that current browsers understand and therefore will apply to your client-server traffic.
To use that new feature, please adjust a new parameter $TYPO3_CONF_VARS['SYS']['cookieSecure'] (through localconf.php file):
- integer "0" - current behaviour, transfer of cookies over any channel (default)
- integer "1" - server creates and transfers cookies only when accessed over a secured/encrypted channel; client is asked to send the cookie only over secured/encrypted channel (this setting enforces SSL)
- integer "2" - server will always create and transfer the cookie no matter which channel is used; if accessed over a secured/encrypted channel, the cookie will only be exchanged in an encrypted way.
Even if e.g. your TYPO3 Backend is accessible over SSL only, you won't be safe from cookies with session IDs transferred in an insecure manner and exposed SIDs as plain-text. So, whenever using SSL with TYPO3, please make sure to be familiar with that new feature and its options.
TYPO3 security fixes for phpmyadmin (PMASA-2009-6)
Posted in advisory/ on October 15, 2009 by .
On October 13, 2009 developers of phpMyAdmin have published an advisory (PMASA-2009-6) for XSS and SQL Injection vulnerabilities in their product.
Today, on October 15, agency mehrwert - the maintainer of TYPO3 extension phpMyAdmin - has published new packages that fix above mentioned vulnerabilities:
- for TYPO3 4.2, extension version 4.0.5 has been uploaded to the TYPO3 Extension Repository
- for TYPO3 < 4.2, please download extension version 3.5.0 directly from mehrwert webserver
(Source: mehrwert's original news item [DE])
TYPO3 Association 2nd Quarterly Report 2009
Posted in TYPO3/ on August 18, 2009 by .
I'd like to use this posting to point to an unfortunately underestimated or even unknown possibility to get to know what's going on in the TYPO3 world.
Every three months, the TYPO3 Association is publishing (or at least is supposed to be) a Quarterly Report. It's a nice way to get informed about what several (official) TYPO3 Committees / Teams are currently doing or planning.
Today, the T3A has published the 2nd Quarterly Report for 2009. The TYPO3 Security Team is also mentioned in this document.
In detail:
- Several TYPO3 Security Team members met at the TYPO3 Developer Days 2009. Such official TYPO3 events are welcome possibility to feel again the community / team spirit that might got missing during the year. It also allows to discuss things that are better to be addressed in face-to-face meetings.
- The TYPO3 Security Team lacks of new members. New ones should be security-minded people with a deeper knowledge in TYPO3 and willing to regularily spend a certain amount of time on the team work.
- A newly created page called resources has been added to the TYPO3 Security Team section on typo3.org. It already keeps several documents that help to stay up-to-date on TYPO3 Security - and it keeps growing.
- New team internal project called Incident Handling System (IHS).
Especially the last item needs a bit of explanation:
The TYPO3 Extension Repository (TER) is constantly growing. With about 4000 different extensions, the TYPO3 Security Team spends almost 100% of its time on extension vulnerabilities.
The bulletin publishing process alone can eat up several hours for a single bulletin. The bulletin is a standard content element. It needs to be in a common form. Every mentioned extension and linked resource has to be manually inserted, links need to be double-checked. Vulnerable extension versions need to be removed from the repository. Bulletin information must be reflected in the according issue in the separate TYPO3 Security Team Trouble Ticket System. The bulletins then will be proof read, comments reflected in the bulletin. New extension versions with the security fixes need to be uploaded. Besides to the bulletin, a dedicated mailing list posting and news item has to be created.
You certainly understand that we really like to reduce the time spend on such tasks. The planned Incident Handling System will change that. Bulletins by default will be in a common structure, extensions and their versions can be selected, automatically added and vulnerable extension versions marked insecure. Mailing list posting and news item are instantly created when publishing the bulletin.
I hope to see it implemented soon.
If you or your company is able to contribute resources (manpower or money) to this IHS project, please don't hesitate to contact the TYPO3 Security Team! Any help is appreciated.
