[TYPO3-announce] TYPO3 Collective Security Bulletin TYPO3-20080619-1: Several vulnerabilities in third party extensions

Lars Houmark lars at typo3.org
Thu Jun 19 07:32:22 CEST 2008 

Dear users of TYPO3,

Multiple issues have been found in third party TYPO3 extensions.

This Collective Security Bulletin (CSB) is a listing of vulnerable  
extensions with neither significant
download numbers nor other special importance amongst the TYPO3  
Community. The intention of CSBs is to reduce the workload of the  
TYPO3 Security Team and the authors or maintainers of the extensions  
with the issues. Nethertheless, vulnerabilities in TYPO3 core or  
important extensions will still get the well-known single Security  
Bulletin each.

Please read an extended explanation on CSBs here [4].

All vulnerabilities affect third party extensions. These extensions  
are not part of the TYPO3 default installation.


Extension: Frontend Filemanager (air_filemanager)
Affected Versions: 0.6.1 and all versions below
Vulnerability Type: Arbitrary code execution on Apache
Severity: HIGH
Solution: An updated version 0.6.2 is available from the TYPO3  
extension manager and at
http://typo3.org/extensions/repository/view/air_filemanager/0.6.2/.
Credits: Credits go to Security Team member Marcus Krause, who  
discovered and reported the issue.


Extension: CoolURI (cooluri)
Affected Versions: 1.0.11 and all versions below
Vulnerability Type: SQL Injection
Severity: HIGH
Solution: An updated version 1.0.12 is available from the TYPO3  
extension manager and at
http://typo3.org/extensions/repository/view/cooluri/1.0.12/.
Note: At the time of this writing, the most recent version of CoolURI  
is version 1.0.14 which is available at http://typo3.org/extensions/repository/view/cooluri/1.0.14/ 
.
Credits: Credits go to Dmitry Dulepov and Jigal van Hemert who  
discovered and reported the issue.

Extension: DCD GoogleMap (dcdgooglemap)
Affected Versions: 1.1.0 and all versions below
Vulnerability Type: Cross Site Scripting (XSS)
Severity: Medium
Solution: An updated version 1.1.1 is available from the TYPO3  
extension manager and at
http://typo3.org/extensions/repository/view/dcdgooglemap/1.1.1/.
Credits: Credits go to Jochen Rau, who discovered and reported the  
issue.


Extension: JobControl (dmmjobcontrol)
Affected Versions: 1.15.0 and all versions below
Vulnerability Type:  SQL Injection, Cross Site Scripting (XSS)
Severity: HIGH
Solution: An updated version 1.15.1 is available from the TYPO3  
extension manager and at
http://typo3.org/extensions/repository/view/dmmjobcontrol/1.15.1/.
Note: At the time of this writing, the most recent version of  
JobControl is version 1.15.2 which is available at
http://typo3.org/extensions/repository/view/dmmjobcontrol/1.15.2/.
Credits: Credits go to Marc Bastian Heinrichs, who discovered and  
reported the issues.

Extension: nepa-design.de Spam Protection (nd_antispam)
Affected Versions: 1.0.3
Vulnerability Type: External Setting Manipulation
Severity: low
Solution: This extension is no longer maintained by the author. Please  
uninstall and delete the extension folder from your installation. The  
extension will no longer be available in the TYPO3 Extension Repository.
Credits: Credits go to Patrick Broens, who discovered and reported the  
issue.


Extension: Diocese of Portsmouth Calendar Today (pd_calendar_today)
Affected Versions: 0.0.3 and all versions below
Vulnerability Type: SQL Injection
Severity: HIGH
Solution: This extension is no longer maintained by the author. Please  
uninstall and delete the extension folder from your installation. The  
extension will no longer be available in the TYPO3 Extension Repository.
Credits: Credits go to Georg Ringer, who discovered and reported the  
issue.


Extension: Diocese of Portsmouth Training Courses (pd_trainingcourses)
Affected Versions: 0.1.1
Vulnerability Type: SQL Injection
Severity: HIGH
Solution: This extension is no longer maintained by the author. Please  
uninstall and delete the extension folder from your installation. The  
extension will no longer be available in the TYPO3 Extension Repository.
Credits: Credits go to Georg Ringer, who discovered and reported the  
issue.


Extension: Download system (sb_downloader)
Affected Versions: 0.1.4 and all versions below
Vulnerability Type: SQL Injection
Severity: HIGH
Solution: An updated version 0.1.5 is available from the TYPO3  
extension manager and at
http://typo3.org/extensions/repository/view/sb_downloader/0.1.5/.
Note: At the time of this writing, the most recent version of  
JobControl is version 0.1.7 which is available at
http://typo3.org/extensions/repository/view/sb_downloader/0.1.7/.
Credits: Credits go to Georg Ringer, who discovered and reported the  
issue.


Extension: Random Prayer (ste_prayer)
Affected Versions: 0.0.1
Vulnerability Type: SQL Injection
Severity: HIGH
Solution: This extension is no longer maintained by the author. Please  
uninstall and delete the extension folder from your installation. The  
extension will no longer be available in the TYPO3 Extension Repository.
Credits: Credits go to Georg Ringer, who discovered and reported the  
issue.


Extension: TIMTAB - social bookmark icons (timtab_sociable)
Affected Versions: 2.0.4 and all versions below
Vulnerability Type: SQL Injection
Severity: HIGH
Solution: An updated version 2.0.5 is available from the TYPO3  
extension manager and at
http://typo3.org/extensions/repository/view/timtab_sociable/2.0.5/.
Credits: Credits go to Dmitry Dulepov, who discovered and reported the  
issue.


Extension: Resource Library (tjs_reslib)
Affected Versions: 0.1.0 and all versions below
Vulnerability Type: Cross Site Scripting (XSS)
Severity: Medium
Solution: This extension is no longer maintained by the author. Please  
uninstall and delete the extension folder from your installation. The  
extension will no longer be available in the TYPO3 Extension Repository.
Credits: Credits go to Security Team member Marcus Krause, who  
discovered and reported the issue.


Extension: Fussballtippspiel (toto)
Affected Versions: 0.1.1 and all versions below
Vulnerability Type: SQL Injection
Severity: HIGH
Solution: An updated version 0.1.2 is available from the TYPO3  
extension manager and at
http://typo3.org/extensions/repository/view/toto/0.1.2/.
Credits: Credits go to Security Team member Henning Pingel, who  
discovered and reported the issue.


Extension: TARGET-E WorldCup Bets (worldcup)
Affected Versions: 2.0.0 and all versions below
Vulnerability Type: SQL Injection, Cross Site Scripting (XSS)
Severity: HIGH
Solution: An updated version 2.0.1 is available from the TYPO3  
extension manager and at
http://typo3.org/extensions/repository/view/worldcup/2.0.1/.
Credits: Credits go to Martin Holtz and Security Team member Marcus  
Krause,
who discovered and reported the issues.


General advice: Follow the recommendations that are given in the TYPO3  
Security Cookbook [1]. Please subscribe to the typo3-announce mailing  
list [2] in order to receive future Security Bulletins via E-mail. All  
TYPO3 Security Bulletins are available at the Security Team pages on  
typo3.org [3].


[1] http://typo3.org/fileadmin/security-team/typo3_security_cookbook_v-0.5.pdf
[2] http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-announce
[3] http://typo3.org/teams/security/security-bulletins/
[4] http://buzz.typo3.org/teams/security/article/collective-security-bulletins-csb-the-reason-for/


Regards,

Lars Houmark
lars at typo3.org

More information about the TYPO3-announce mailing list