[TYPO3-UG Dutch] Fwd: [TYPO3-announce] TYPO3 Security Bulletin TYPO3-20061220-1: Remote Command Execution in TYPO3

Bart Veldhuizen [V-INT] bart at v-int.nl
Wed Dec 20 20:29:10 CET 2006 

Hallo lijst,

ik ontving vanmiddag de volgende security warning. Omdat ik hem hier  
nog niet heb gezien leek het me nuttig om hem te delen.

Ik heb er wel een vraag over: onder het kopje 'solution' staan  
oplossing A) en B). Begrijp ik nou goed dat je één van beide kan doen  
en dat je dan weer veilig bent? Ik denk namelijk niet dat ik het een  
fris idee is om alle sites van mijn klanten vanavond eventjes te  
upgraden naar 4.0.4 ;-)

Bart

Begin doorgestuurd bericht:

> Van: Ingmar Schlecht <ingmar at typo3.org>
> Datum: 20 december 2006 15:35:05 GMT+01:00
> Aan: "TYPO3 Announcement List, readonly" <typo3- 
> announce at lists.netfielders.de>
> Onderwerp: [TYPO3-announce] TYPO3 Security Bulletin  
> TYPO3-20061220-1: Remote Command Execution in TYPO3
> Antwoord aan: "TYPO3 Announcement List,  readonly" <typo3- 
> announce at lists.netfielders.de>
>
> Dear users of TYPO3,
>
> a critical problem has been discovered in the rtehtmlarea extension.
>
> An attacker can use the flaw to execute arbitrary system commands,
> compromising the TYPO3 installation including the database and other
> files on the server.
>
> The system is vulnerable if PHP safe_mode is disabled. If safe_mode is
> enabled, the bug can not be exploited.
> Please be aware that TYPO3 versions 4.0 and higher include rtehtmlarea
> as a system extension by default, and that a system may be affected  
> even
> if the extension is not set to "Installed" in the Extension Manager.
> Since TYPO3 versions 4.0 and higher include rtehtmlarea as a system
> extension by default, all installations of version 4.0 through  
> 4.0.3 and
> 4.1 beta are vulnerable if PHP safe_mode is disabled.
>
> Updated versions of TYPO3 (4.0.4, 4.1beta2) are available at
> http://typo3.org/download/packages/, updated versions of the  
> rtehtmlarea
> extension are available in the extension repository.
>
> All users of TYPO3 versions 4.0 through 4.0.3 and/or rtehtmlarea
> versions 0.7.5 through 1.4.2 are advised to update their installations
> immediately.
>
> ==== Component Type ====
> System Extension (TYPO3 Versions 4.0-4.0.3, 4.1beta)
> Third Party Extension (TYPO3 Versions up to 3.8.1). Since
> TYPO3 Version 4.0 the extension is part of the TYPO3 default
> installation
>
> ==== Affected Versions ====
> TYPO3 default installation version 4.0 through 4.0.3, 4.1beta
> Extension rtehtmlarea versions 0.7.5 through 1.4.2
>
> ==== Vulnerability Type ====
> Remote Command Execution
>
> ==== Severity ====
> CRITICAL
>
> ==== Solution ====
> A) Update your TYPO3 core system to the latest version
> B) Update the all instances (system/global/local) of extension
>    rtehtmlarea:
>
> Please use the list below to find the version of rtehtmlarea that
> matches the version of TYPO3 you are using:
>
> rtehtmlarea version 1.3.8
> 	is for TYPO3 version 4.0.x
>
> rtehtmlarea version 1.4.3
> 	is for TYPO3 version 4.0.x that is using rtehtmlarea 1.4.2
> 	(updated via TER)
>
> rtehtmlarea version 1.2.0
> 	is for TYPO3 version 3.8.x
>
> rtehtmlarea version 1.1.4
> 	is for TYPO3 version 3.7.x
>
> rtehtmlarea version 1.5.1dev
> 	is for TYPO3 version 4.1beta
>
> When using the extension manager to update the extension you need to
> click on the name of the extension (rather than the udpate icon  
> left to
> it) to access older versions than the latest.
>
> NOTE: If you have installed rtehtmlarea in multiple locations (as
> SYSTEM, GLOBAL and/or LOCAL extension), ALL of them need to be  
> updated.
>
> ==== Quick Fix ====
> (Apply the Quick Fix only as a last resort when TYPO3 and/or the
> extension can't be updated immidiately):
>
> Simply delete the file class.tx_rtehtmlarea_pi1.php from the following
> locations:
> PATH_TO_YOUR_SITE/typo3/sysext/rtehtmlarea/pi1
> PATH_TO_YOUR_SITE/typo3/ext/rtehtmlarea/pi1
> PATH_TO_YOUR_SITE/typo3conf/ext/rtehtmlarea/pi1
>
> ==== MD5 Sums for Core Packages ====
> 4.0.4:
> 8a3c066d3a1dfb9c86ede7838805f1de  dummy-4.0.4.tar.gz
> bcf111df3c2abab5ee7ae0a32904d0ca  dummy-4.0.4.zip
> 377a357df848028c604d53ad9953353c  typo3_src-4.0.4.tar.gz
> 9e311279e711cffce7acc4e5c407296f  typo3_src-4.0.4.zip
> 16f239d68aceeae14d64a38d83afb4a7  typo3_src+dummy-4.0.4.zip
>
> 4.1 Beta 2:
> 182b7826bcb91c8cae594b55837f01e0  dummy-4.1beta2.tar.gz
> 2c8a9c53774515c00515d7e2e5874687  dummy-4.1beta2.zip
> fc666d91f71ed29474ee11dcc74a5a5c  typo3_src-4.1beta2.tar.gz
> 43dc050d86a8e8b6da6658ab70ee0a9d  typo3_src-4.1beta2.zip
> e96b872c1177fa549367d5ed99d6a348  typo3_src+dummy-4.1beta2.zip
>
> ==== General advice ====
> Follow the recommendations that are given in the TYPO3 Security  
> Cookbook.
>
> ==== Credits ====
> Thanks to Daniel Fabian from SEC Consult (http://www.sec-consult.com)
> who discovered the vulnerability and notified the TYPO3 security team.
> Thanks to Peter Niederlag, Michael Stucki, Rupert Germann, Jochen
> Weiland, Ingmar Schlecht and the other members of the security team  
> who
> immediately started working on the problem and the fix after the
> security team was notified.
>
> Regards,
> TYPO3 Security Team
>
> _______________________________________________
> TYPO3-announce mailing list
> TYPO3-announce at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-announce

Bart Veldhuizen
bart at vrotvrot.com

Daily Blender News on BlenderNation.com



------------------------------------------------------------------------ 
--
Bart Veldhuizen, Veldhuizen Interactive.  Tel: 06-420 67 330
website analyse & advies | content management systemen

More information about the TYPO3-UG-dutch mailing list