about
blog
tutorials
Removal advices in TYPO3 Security Bulletins
Posted in advisory/ on June 19, 2009 by .
Your requests for vulnerability details
In a recent TYPO3 Security Advisory/Bulletin, the TYPO3 Security team advised to uninstall and delete a vulnerable extension.
This generally only happens when we didn't manage to get in contact with the extension owner. After we've published this bulletin, we were contacted by individuals and web agencies who expressed their wish to fix the vulnerability - mainly because they were using the extension in question.
Whenever the TYPO3 Security Team finds a vulnerability in an extension and is unable to reach the registered extension owner (doesn't reply to our mails, mail address no longer valid), the TYPO3 Security Team advices to uninstall and remove the extension.
We of course are aware of the fact that this extension might be deployed on a lot of TYPO3 systems out. This procedure is not about annoying you at all.
Being unable to contact the extension owner means that the extension is no longer maintained.
No matter how easy it is to fix the vulnerability and that we might patch the extension by ourselves, we'll again face the same situation whenever a further vulnerability in the extension is reported.
The TYPO3 Security Team does not maintain extensions.
It also happened in the past that the extension owner contacted us and was willing to maintain the extension some time after we published the bulletin.
In case we still aren't contacted by the extension owner, we cannot simply
- disclose vulnerability details to other users/agencies that use the extension and are willing to maintain it
- transfer the extension key to other users/agencies that are willing to maintain the extension
Reasons:
(ad 1) We obviously don't want exploits in the wild and might not be able to put trust in you who has contacted us by email.
(ad 2) The extension owner "owns" the extension. We cannot simply remove the ownership. You might want to contact the TYPO3 Association and ask them to transfer the key to you. Transferrals of keys is not a TYPO3 Security Team task.
Thank you for your understanding.
TYPO3 at the LinuxTag
Posted in others/ on June 17, 2009 by .
Meet TYPO3 Core and Security Team members
On June 24 - 27, 2009, there's the 15th LinuxTag in Berlin (Germany). Amongst other Open Source projects, TYPO3 will be present with a booth.
If you are going to visit the LinuxTag or in case of questions regarding TYPO3's current and future status, make a visit at hall 7.2A, booth 113B!
TYPO3 Core Team members will welcome you the whole four days. Answers to TYPO3 Security questions will be given on friday.
We're looking forward to meet you!
Thanks for the order!
Posted in others/ on June 13, 2009 by .
Whoever ordered the book PHP-Sicherheit via my amazon link - thank you for that. You won't regret it.
Of course, I also have this book in my bookcase. The co-author is Stefan Esser, reporter of a lot PHP-vulnerabilities, initiator of the month of PHP bugs and maintainer of the suhosin project.
The book is a must-have for administrators (of PHP applications) as well for PHP developers.
It starts with a chapter explaining how an attacker will work on getting as much information as possible of a to be attacked host. Besides that all types of vulnerabilities are explained. The authors give advices on how to harden your PHP installation and how to produce secure code. Finally, the authors present projects like suhosin as well as filter/IDS solutions like mod_security with whitelist or blacklist approaches.
It's worth every Euro!
Tell me your password
Posted in TYPO3/ on May 18, 2009 by .
Move credentials outside of the webroot
I've created a new tutorial that shows how to move credentials outside of the webroot. By default TYPO3 stores any kind of configuration into file typo3conf/localconf.php. Besides graphics configuration, etc... also database username/password and the encryption key is stored in there.
Although there's no way to get hold of this data as website user, I personal don't like the approach to store data that is intented to kept private inside the webroot.
The tutorial does explain the reasons in more detail. Have a look!
TYPO3 Security Team recommends ...
Posted in others/ on May 17, 2009 by .
New ideas from T3DD09
It seems, you guys had a lot of fun at the T3DD09.
Image license: CC-by-sa; server picture by JohnSeb (Flickr); pool pictures by Mario Rimann and Thomas Hempel
