[TYPO3-UG Spain] Problema de seguridad localizado

Yuso yuso at santurde.com
Thu Dec 21 07:55:23 CET 2006 

Me imagino que estáis todos al tanto pero por si alguien no lo sabe: 
Problema de seguridad en HTML AREA según informan en las noticias en 
www.typo3.org


Un saludo

Pedro





TYPO3 Security Bulletin TYPO3-20061220-1: Remote Command Execution in TYPO3
Author: Peter Niederlag
Category: www.typo3.org, Security

Component Type: System Extension (TYPO3 Versions 4.0-4.0.3, 4.1beta)
Third Party Extension (TYPO3 Versions up to 3.8.1). Since
TYPO3 Version 4.0 the extension is part of the TYPO3 default
installation
Affected Versions: TYPO3 default installation version 4.0 through 4.0.3, 
4.1beta
Extension rtehtmlarea versions 0.7.5 through 1.4.2
Vulnerability Type: Remote Command Execution
Severity: CRITICAL

Problem Description:
A critical problem has been discovered in plugin 
class.tx_rtehtmlarea_pi1.php that is used for spell-checking in the 
rtehtmlarea extension.
An attacker could use the flaw to execute arbitrary system commands, 
compromising the TYPO3 installation including the database and other files 
on the server.
The system is vulnerable if PHP safe_mode is disabled. If safe_mode is 
enabled, the bug can not be exploited.
Please be aware that TYPO3 versions 4.0 and higher include rtehtmlarea as a 
system extension by default, and that a system may be affected even if the 
extension is not set to "Installed" in the Extension Manager.
Since TYPO3 versions 4.0 and higher include rtehtmlarea as a system 
extension by default, all installations of version 4.0 through 4.0.3 and 4.1 
beta are vulnerable if PHP safe_mode is disabled.

Updated versions of TYPO3 (4.0.4, 4.1beta2) as well as rtehtmlarea are 
available on in the download section of typo3.org and the extension 
repository.
All users of TYPO3 versions 4.0 through 4.0.3 and/or rtehtmlarea versions 
0.7.5 through 1.4.2 are advised to update their installations immediately.
Solution:
A) Update your TYPO3 core system to the latest version
B) Update the all instances (system/global/local) of extension rtehtmlarea:

Please use the list below to find the version of rtehtmlarea that matches 
the version of TYPO3 you are using.
rtehtmlarea version 1.3.8 is for TYPO3 version 4.0.x
rtehtmlarea version 1.4.3 is for TYPO3 version 4.0.x that is using 
rtehtmlarea 1.4.2 (updated via TER)
rtehtmlarea version 1.2.1 is for TYPO3 version 3.8.x
rtehtmlarea version 1.1.4 is for TYPO3 version 3.7.x
rtehtmlarea version 1.5.1dev is for TYPO3 version 4.1beta
When using the extension manager to update the extension you need to click 
on the name of the extension (rather than the udpate icon left to it) to 
access older versions than the latest.
NOTE: If you have installed rtehtmlarea in multiple locations (as SYSTEM, 
GLOBAL and/or LOCAL extension), ALL of them need to be updated.
Quick Fix (apply only as a last resort when TYPO3 and/or the extension can't 
be updated immidiately):
Delete the file 'class.tx_rtehtmlarea_pi1.php'.

The file 'class.tx_rtehtmlarea_pi1.php' can be found in one or more of the 
following locations:
PATH_TO_YOUR_SITE/typo3/sysext/rtehtmlarea/pi1
PATH_TO_YOUR_SITE/typo3/ext/rtehtmlarea/pi1
PATH_TO_YOUR_SITE/typo3conf/ext/rtehtmlarea/pi1


General advice:
Follow the recommendations that are given in the TYPO3 Security Cookbook.
Credits:
Thanks to Daniel Fabian from SEC Consult (http://www.sec-consult.com) who 
discovered the vulnerability and notified the TYPO3 security team.
Thanks to Peter Niederlag, Michael Stucki, Rupert Germann and the other 
members of the security team who immediately started working on the problem 
and the fix after the security team was notified.



--------------------------------------------------------------------------------

More information about the TYPO3-UG-spain mailing list