about
blog
tutorials
Off-topic: Going online with o2 mobile
Posted in others/ on July 15, 2009 by .
After having canceled one of my mobile phone contracts I took the change to actual check recent bills. That was quite surprising (should have done this earlier!).
o2 Germany by default offers two different billing methods (there are further packages that require a monthly fee); per volume and per time. It seems in March 2008 I canceled an addon package (email stuff) and accidentally switched to volume based billing.
This made me pay 9,22 EUR per MB (1 MB could be one page on a website with a few images). Curious as I am, I calculated that for this 1 MB I could be online with time based billing for 102 minutes (billing is 0,09 EUR per minute). 102 minutes would result in 5,5 GB transfer with offered (theoretical) maximum speed of 7,2 MBit/s.
Paying about 9 EUR and getting 1 MB with volume based billing versus 5,5 GB in time based billing!! What would you choose? Interesting business model, isn't it?
I still wonder if there's any use case where choosing volume based billing is cheaper than time based billing? Like connecting to a web server and sending keepalive packets only every two minutes?
At least, after presenting the figures (1 MB vs. 5,5 GB), o2's Customer Care gave me a little refund. I'm now using a package with a monthly fee but "unlimited traffic". Stupid me.
VIGILANCE-VUL-8839 - not a vulnerability
Posted in advisory/ on July 07, 2009 by .
Today, I stumbled across VIGILANCE-VUL-8839, a newly published to-be advisory covering TYPO3 bugtracker issue #0011369.
Attentive readers of this blog are aware that I've covered exactly this issue in my recent posting on new TYPO3 releases. I also mentioned that this is not a vulnerability. It seems somebody is of different opinion. Challenge accepted.
So why is this not a vulnerability:
The file deny pattern is generally only applied when uploading files onto the TYPO3 system. Such user files matching this pattern won't exist on a TYPO3 installation. The pattern itself is able to be modified by a TYPO3 administrator; by default it prevents php files to be uploaded.
Jumpurl would allow to access all files the web server user account has access to. Prerequisite: a mandatory token is supplied with such request that matches the one TYPO3 is expecting.
Therefore you will only be able to access files with jumpurl if the system is configured to expose such files. AFAIK, this is only used for e.g. PDF documents referenced by newsletters. Such jumpurl links with a valid token are only created by TYPO3 when an author/admin consciously decides to make specific files available.
Independent from that, a typical author will never be able to create jumpurl links to the central TYPO3 configuration file (php file ).
What the core team (with TYPO3 Security Team's approval) has decided:
There's no need at all to (theoretically) allow to create links to this configuration file or configuration directory.
Your system is not more secure after applying the patch! Also the TYPO3 Security Team didn't fix a known vulnerability by that patch. The Security Team is very focused on TYPO3 Security. If we would have considered this to be a vulnerability, we would have published an advisory.
I hope this is more clear for you now. No need to worry! Thanks for listening.
Restructured team pages on typo3.org
Posted in TYPO3/ on July 05, 2009 by .
Some days ago, we've restructured the TYPO3 Security Team section on typo3.org. In specific we reduced the number of menu items to a minimum. Additionally there's a new page called Resources with all kind of helpful information for TYPO3 administrators and developers. You'll find, among others, references to security related tutorials, slides and videos.
If you are interested in TYPO3 security this page is now a nice starting point.
What's your opinion? What is still missing? Are there any resources on the internet that should be referenced to from the TYPO3 Security Team pages? Also helping hands on improving the (slightly outdated but still valid) Security Cookbook are highly appreaciated.
Please help us to support you on TYPO3 security!
Removal advices in TYPO3 Security Bulletins
Posted in advisory/ on June 19, 2009 by .
Your requests for vulnerability details
In a recent TYPO3 Security Advisory/Bulletin, the TYPO3 Security team advised to uninstall and delete a vulnerable extension.
This generally only happens when we didn't manage to get in contact with the extension owner. After we've published this bulletin, we were contacted by individuals and web agencies who expressed their wish to fix the vulnerability - mainly because they were using the extension in question.
Whenever the TYPO3 Security Team finds a vulnerability in an extension and is unable to reach the registered extension owner (doesn't reply to our mails, mail address no longer valid), the TYPO3 Security Team advices to uninstall and remove the extension.
We of course are aware of the fact that this extension might be deployed on a lot of TYPO3 systems out. This procedure is not about annoying you at all.
Being unable to contact the extension owner means that the extension is no longer maintained.
No matter how easy it is to fix the vulnerability and that we might patch the extension by ourselves, we'll again face the same situation whenever a further vulnerability in the extension is reported.
The TYPO3 Security Team does not maintain extensions.
It also happened in the past that the extension owner contacted us and was willing to maintain the extension some time after we published the bulletin.
In case we still aren't contacted by the extension owner, we cannot simply
- disclose vulnerability details to other users/agencies that use the extension and are willing to maintain it
- transfer the extension key to other users/agencies that are willing to maintain the extension
Reasons:
(ad 1) We obviously don't want exploits in the wild and might not be able to put trust in you who has contacted us by email.
(ad 2) The extension owner "owns" the extension. We cannot simply remove the ownership. You might want to contact the TYPO3 Association and ask them to transfer the key to you. Transferrals of keys is not a TYPO3 Security Team task.
Thank you for your understanding.
TYPO3 at the LinuxTag
Posted in others/ on June 17, 2009 by .
Meet TYPO3 Core and Security Team members
On June 24 - 27, 2009, there's the 15th LinuxTag in Berlin (Germany). Amongst other Open Source projects, TYPO3 will be present with a booth.
If you are going to visit the LinuxTag or in case of questions regarding TYPO3's current and future status, make a visit at hall 7.2A, booth 113B!
TYPO3 Core Team members will welcome you the whole four days. Answers to TYPO3 Security questions will be given on friday.
We're looking forward to meet you!
