[Typo3-announce] Security Bulletins: Important Security Enhancements in TYPO3 3.8.1
Ekkehard Gümbel
ekki at typo3.org
Mon Nov 14 13:06:38 CET 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Multiple TYPO3 Security Bulletins have been issued, all of which are
addressed by the release of TYPO3 3.8.1.
Over the years, TYPO3 has become very mature in many respects, one of which
is the seriousness that we put on security matters. Therefore the current
release 3.8.1 contains some improvements as listed below.
- ------------------------------
Note: For the forthcoming version TYPO3 4.0 we are planning to have another
general code review of the core - provided that we receive some funding for
it. If are able to contribute, please contact the TYPO3 security team
(http://typo3.org/teams/security/contact-us/) or the TYPO3 Association
(http://association.typo3.org/). Thank you!
- ------------------------------
TYPO3-20051114-1: Backup Files Protection
http://typo3.org/teams/security/security-bulletins/typo3-20051114-1/
The file editor functionality in the TYPO3 Install Tool (menu option "Edit
files in typo3conf/") has an option that reads "Make backup copy". If set,
this will create a backup copy and append a "~" to the original file name.
This leads to file names that may be delivered as text files by a web
server. Thus, sensitive information (e.g. the content of localconf.php) may
be disclosed.
TYPO3-20051114-2: showpic.php
http://typo3.org/teams/security/security-bulletins/typo3-20051114-2/
A Cross Site Scripting issue has been found in showpic.php.
TYPO3-20051114-3: PhpMyAdmin
http://typo3.org/teams/security/security-bulletins/typo3-20051114-3/
Various security issues have been reported for PhpMyAdmin (see
www.securityfocus.com/bid/15196 for details.)
TYPO3-20051114-4: "Shift-Reload"
http://typo3.org/teams/security/security-bulletins/typo3-20051114-4/
In the past, a "Shift Reload" from the browser (AKA a GET request with the
"no-cache" pragma set) cleared the TYPO3 cache of the requested page. This
may be considered a potential target for Denial of Service attacks.
TYPO3-20051114-5: encryptionKey
http://typo3.org/teams/security/security-bulletins/typo3-20051114-5/
For convenience, the TYPO3 Install Tool provides a button sets the
"encryptionKey" to a random value. It has been observed that only parts of
the generated value are actually random. The overall key is therefore
unique and -as of today- considered sufficiently secure. However, the
effective key length is not the intended one.
TYPO3-20051114-6: config.baseURL
http://typo3.org/teams/security/security-bulletins/typo3-20051114-6/
Under special circumstances, setting config.baseURL (see
typo3.org/documentation/document-library/doc_core_tsref/quot_CONFIG_quot/ )
to a numeric value ("1") could be used to spoof a malicious baseURL into
your TYPO3 cache. It has now been decided to technically prevent this
misconfiguration.
TYPO3-20051114-7: fileadmin/_temp_/
http://typo3.org/teams/security/security-bulletins/typo3-20051114-7/
Situations are imaginable where sensitive information gets stored in the
fileadmin/_temp_/ directory. If misconfigured in your web server, this
directory can be browsable and therefore expose that information.
Please see the complete bulletins
(http://typo3.org/teams/security/security-bulletins/) for details.
Please see the "Whats new" article
(http://typo3.org/development/articles/new-features-in-typo3-381/) for
further information on TYPO3 3.8.1.
And: Please make sure to subscribe to the TYPO3 Announcement mailing list
(http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-announce) to
receive future announcements.
Regards,
Ekkehard Guembel
TYPO3 Security Team
- -> This information comes with ABSOLUTELY NO WARRANTY.
- -> Visit http://typo3.org/teams/security/security-bulletins
-----BEGIN PGP SIGNATURE-----
iQA/AwUBQ3huxbacx8F96kPgEQKLtgCgo8cFW1ub95BuJy4dI2E5ukfgGu0AoK1Y
yc+bdYd1LPc7TQWMhM324KOn
=g7Dp
-----END PGP SIGNATURE-----
More information about the TYPO3-announce
mailing list