[Typo3-dev] Vulnerabilities in PHP <= 4.3.9 and <= 5.0.2
Karsten Dambekalns
k.dambekalns at fishfarm.de
Fri Dec 17 23:36:07 CET 2004
Hi Patrick.
On 2004-12-17, Patrick Gaumond <patrick.gaumond at fsa.ulaval.ca> wrote:
> REF: http://www.hardened-php.net/advisories/012004.txt
>
> Is TYPO3 a "backdoor" for such vulnerabilities ?
Let's see.
The first point they mention is pack(). It is only used in the TYPO3
core when gzipping before delivering a page to the browser.
t3lib/class.gzip_encode.php: $gzdata .= pack("V",$crc) . pack("V", $size);
As is said in the article, the is unlikely to be exploited at all. If
still concerned, switch off output gzip encoding in TYPO3.
The second point mentions unpack(), this isn't used at all in the
TYPO3 core.
Both commands are used in phpMyAdmin, so careful admins might want to
remove the phpMyAdmin extension.
The safe mode flaws apply mostly to cases, where the paths and files
involved are dependend on user input. As TYPO3 only uses system
commands with preconfigured settings (IM, logfile writing) or
additional internal checks (fileadmin), this seems hard to exploit.
The last points in the advisory deal with unserialize(). Now this is
used in a lot of places in TYPO3. The vulnerability seems only
exploitable if carefully crafted malicious code can be fed to
unserialize(). This should be almost impossible, as TYPO3 uses it for
working on internally generated data, such as log entries, preparsed
charset data, BE user settings and template data (constants,
setup). This leads me to the conclusion that at least a BE account
would be needed to tamper with this.
Of course a closer look at this should be taken, as there is never
absolute security. But I'd still say there is no need to shutdown your
server until a new PHP version can be installed.
If anybody has further information that backs up or falsifies my
conclusions, please let us know!
Karsten
More information about the TYPO3-dev
mailing list