[TYPO3-UG Spain] Problema de seguridad localizado
Yuso
yuso at santurde.com
Thu Dec 21 07:55:23 CET 2006
Me imagino que estáis todos al tanto pero por si alguien no lo sabe:
Problema de seguridad en HTML AREA según informan en las noticias en
www.typo3.org
Un saludo
Pedro
TYPO3 Security Bulletin TYPO3-20061220-1: Remote Command Execution in TYPO3
Author: Peter Niederlag
Category: www.typo3.org, Security
Component Type: System Extension (TYPO3 Versions 4.0-4.0.3, 4.1beta)
Third Party Extension (TYPO3 Versions up to 3.8.1). Since
TYPO3 Version 4.0 the extension is part of the TYPO3 default
installation
Affected Versions: TYPO3 default installation version 4.0 through 4.0.3,
4.1beta
Extension rtehtmlarea versions 0.7.5 through 1.4.2
Vulnerability Type: Remote Command Execution
Severity: CRITICAL
Problem Description:
A critical problem has been discovered in plugin
class.tx_rtehtmlarea_pi1.php that is used for spell-checking in the
rtehtmlarea extension.
An attacker could use the flaw to execute arbitrary system commands,
compromising the TYPO3 installation including the database and other files
on the server.
The system is vulnerable if PHP safe_mode is disabled. If safe_mode is
enabled, the bug can not be exploited.
Please be aware that TYPO3 versions 4.0 and higher include rtehtmlarea as a
system extension by default, and that a system may be affected even if the
extension is not set to "Installed" in the Extension Manager.
Since TYPO3 versions 4.0 and higher include rtehtmlarea as a system
extension by default, all installations of version 4.0 through 4.0.3 and 4.1
beta are vulnerable if PHP safe_mode is disabled.
Updated versions of TYPO3 (4.0.4, 4.1beta2) as well as rtehtmlarea are
available on in the download section of typo3.org and the extension
repository.
All users of TYPO3 versions 4.0 through 4.0.3 and/or rtehtmlarea versions
0.7.5 through 1.4.2 are advised to update their installations immediately.
Solution:
A) Update your TYPO3 core system to the latest version
B) Update the all instances (system/global/local) of extension rtehtmlarea:
Please use the list below to find the version of rtehtmlarea that matches
the version of TYPO3 you are using.
rtehtmlarea version 1.3.8 is for TYPO3 version 4.0.x
rtehtmlarea version 1.4.3 is for TYPO3 version 4.0.x that is using
rtehtmlarea 1.4.2 (updated via TER)
rtehtmlarea version 1.2.1 is for TYPO3 version 3.8.x
rtehtmlarea version 1.1.4 is for TYPO3 version 3.7.x
rtehtmlarea version 1.5.1dev is for TYPO3 version 4.1beta
When using the extension manager to update the extension you need to click
on the name of the extension (rather than the udpate icon left to it) to
access older versions than the latest.
NOTE: If you have installed rtehtmlarea in multiple locations (as SYSTEM,
GLOBAL and/or LOCAL extension), ALL of them need to be updated.
Quick Fix (apply only as a last resort when TYPO3 and/or the extension can't
be updated immidiately):
Delete the file 'class.tx_rtehtmlarea_pi1.php'.
The file 'class.tx_rtehtmlarea_pi1.php' can be found in one or more of the
following locations:
PATH_TO_YOUR_SITE/typo3/sysext/rtehtmlarea/pi1
PATH_TO_YOUR_SITE/typo3/ext/rtehtmlarea/pi1
PATH_TO_YOUR_SITE/typo3conf/ext/rtehtmlarea/pi1
General advice:
Follow the recommendations that are given in the TYPO3 Security Cookbook.
Credits:
Thanks to Daniel Fabian from SEC Consult (http://www.sec-consult.com) who
discovered the vulnerability and notified the TYPO3 security team.
Thanks to Peter Niederlag, Michael Stucki, Rupert Germann and the other
members of the security team who immediately started working on the problem
and the fix after the security team was notified.
--------------------------------------------------------------------------------
More information about the TYPO3-UG-spain
mailing list