SB2018071202 - Multiple vulnerabilities in Typo3 CMS
Published: July 12, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Authentication bypass (CVE-ID: N/A)
The vulnerability allows a remote attacker to bypass authentication authentication process.
The vulnerability exists due to an error within the Salted Password system extension (ext:saltedpasswords) when using hashing methods which are related by PHP class inheritance. A remote attacker can bypass authentication and login under any user account using an existing username.
Successful exploitation requires that MD5 is used as a default hashing algorithm (not the default configuration).
2) Deserialization of untrusted data (CVE-ID: N/A)
The vulnerability allows a remote attacker to compromise vulnerable application.
The vulnerability exists due to Typo3 does not check content type of files and allows uploading of Phar files. A remote attacker with valid user account can upload a malicious phar file with a safe extension (e.g. jpg) and execute it on the system with privileges of the web server account.
Successful exploitation of the vulnerability allows remote PHP code execution but requires valid user credentials.
3) SQL injection (CVE-ID: N/A)
4) Insecure deserialization (CVE-ID: N/A)
The vulnerability allows a remote authenticated user to compromise vulnerable system.
The vulnerability exists due to improper sanitization of user-supplied data in the Form Framework (system extension "form") when being used with the additional PHP PECL package “yaml”. A privileged attacker can upload a specially crafted form template and execute arbitrary PHP code on the server.
Successful exploitation of the vulnerability requires that setting "yaml.decode_php" option is enabled.
Remediation
Install update from vendor's website.