{"id": "SECURITYVULNS:DOC:31467", "bulletinFamily": "software", "title": "[RT-SA-2014-009] Information Disclosure in TYPO3 Extension ke_questionnaire", "description": "\r\n\r\nAdvisory: Information Disclosure in TYPO3 Extension ke_questionnaire\r\n\r\nThe TYPO3 extension ke_questionnaire stores answered questionnaires in a\r\npublicly reachable directory on the webserver with filenames that are\r\neasily guessable.\r\n\r\n\r\nDetails\r\n=======\r\n\r\nProduct: ke_questionnaire \r\nAffected Versions: 2.5.2 (possibly all versions)\r\nFixed Versions: unknown\r\nVulnerability Type: Information Disclosure\r\nSecurity Risk: medium\r\nVendor URL: http://kequestionnaire.kennziffer.com/\r\nVendor Status: notified\r\nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-009\r\nAdvisory Status: published\r\nCVE: CVE-2014-8874\r\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8874\r\n\r\n\r\nIntroduction\r\n============\r\n\r\n"The TYPO3 extension kequestionnaire allows to easily and quickly create\r\nand evaluate individual questionnaires online in any TYPO3 website."\r\n\r\n(translated from the official website of ke_questionnaire)\r\n\r\n\r\nMore Details\r\n============\r\n\r\nFiles containing the answered questionnaires are stored in the\r\n"typo3temp" directory within the TYPO3 installation. As the source code\r\nof the ke_questionnaire extension shows, the filename of an answered\r\nquestionnaire is solely based on the questionnaire ID and the user ID of\r\nthe user who created the questionnaire.\r\n\r\nSource code (shortened):\r\n------------------------------------------------------------------------------\r\nfunction init() {\r\n global $BE_USER,$LANG,$BACK_PATH,$TCA_DESCR,$TCA,$CLIENT,$TYPO3_CONF_VARS;\r\n\r\n $this->temp_file = \\r\n'tx_kequestionnaire_temp_'.$this->q_id.'_'.$GLOBALS['BE_USER']->user['uid'];\r\n [...]\r\n}\r\n[...]\r\nfunction createSchedulerTask(){\r\n $myVars = $GLOBALS['BE_USER']->getSessionData('tx_kequestionnaire');\r\n $file_path = PATH_site.'typo3temp/'.$this->temp_file;\r\n [...]\r\n}\r\n------------------------------------------------------------------------------\r\n\r\nA valid URL that returns the answers to a questionnaire could look like\r\nthe following:\r\n\r\nhttp://www.example.com/typo3temp/tx_kequestionnaire_temp_15999_7\r\n\r\n\r\n\r\nProof of Concept\r\n================\r\n\r\nUsing the tool wfuzz[1] it is possible to search for answers to\r\nquestionnaires on a TYPO3 site that employs ke_questionnaire:\r\n\r\n------------------------------------------------------------------------\r\n$ python wfuzz.py -c -z range,14000-15000 -z range,1-10 --hc 301 \\r\n http://example.com/typo3temp/tx_kequestionnaire_temp_FUZZ_FUZ2Z\r\n------------------------------------------------------------------------\r\n\r\n\r\nWorkaround\r\n==========\r\n\r\nThe webserver config should deny access to answered questionnaire files,\r\nfor example by adding an .htaccess file that limits access to\r\ntx_kequestionnaire_* files (this may hinder online evaluation of the\r\nquestionnaires).\r\n\r\n\r\nFix\r\n===\r\n\r\nNo official fix available.\r\n\r\n\r\nSecurity Risk\r\n=============\r\n\r\nDepending on the questions in the questionnaire the answered\r\nquestionnaires may contain personal information including participants'\r\nfull names, addresses and so on. The risk therefore strongly depends on\r\nthe information supplied in the questionnaires. Since this information\r\nwill at least often contain email addresses, it is rated as at least a\r\nmedium risk.\r\n\r\n\r\nTimeline\r\n========\r\n\r\n2014-04-21 Vulnerability identified\r\n2014-04-30 Customer approved disclosure to vendor\r\n2014-05-13 Vendor notified\r\n2014-05-20 Vendor works with TYPO3 security team on a fix\r\n2014-06-15 Vendor releases updated version which according to them\r\n does not fix the issue\r\n2014-10-08 TYPO3 security team says the issue is still unresolved\r\n2014-11-04 Vendor continues to release updated versions, no response\r\n whether the security issue is fixed\r\n2014-11-14 CVE number assigned\r\n2014-12-01 Advisory released\r\n\r\n\r\nReferences\r\n==========\r\n\r\n[1] https://code.google.com/p/wfuzz/\r\n\r\n\r\nRedTeam Pentesting GmbH\r\n=======================\r\n\r\nRedTeam Pentesting offers individual penetration tests, short pentests,\r\nperformed by a team of specialised IT-security experts. Hereby, security\r\nweaknesses in company networks or products are uncovered and can be\r\nfixed immediately.\r\n\r\nAs there are only few experts in this field, RedTeam Pentesting wants to\r\nshare its knowledge and enhance the public knowledge with research in\r\nsecurity-related areas. The results are made available as public\r\nsecurity advisories.\r\n\r\nMore information about RedTeam Pentesting can be found at\r\nhttps://www.redteam-pentesting.de.\r\n\r\n-- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschaftsfuhrer: Patrick Hof, Jens Liebchen\r\n\r\n", "published": "2014-12-01T00:00:00", "modified": "2014-12-01T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31467", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2014-8874"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:56", "edition": 1, "viewCount": 23, "enchantments": {"score": {"value": 6.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-8874"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:129339"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14113"]}, {"type": "zdt", "idList": ["1337DAY-ID-22957"]}], "rev": 4}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2014-8874"]}]}, "exploitation": null, "vulnersScore": 6.2}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647226540}}

{"cve": [{"lastseen": "2022-03-23T15:14:28", "description": "The ke_questionnaire extension 2.5.2 and earlier for TYPO3 uses predictable names for the questionnaire answer forms, which makes it easier for remote attackers to obtain sensitive information via a direct request.", "cvss3": {}, "published": "2014-12-02T16:59:00", "type": "cve", "title": "CVE-2014-8874", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8874"], "modified": "2018-10-09T19:54:00", "cpe": ["cpe:/a:kennziffer:ke_questionnaire:2.5.2"], "id": "CVE-2014-8874", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8874", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:kennziffer:ke_questionnaire:2.5.2:*:*:*:*:typo3:*:*"]}], "zdt": [{"lastseen": "2018-04-08T22:55:29", "description": "The TYPO3 extension ke_questionnaire stores answered questionnaires in a publicly reachable directory on the webserver with filenames that are easily guessable. Version 2.5.2 is affected.", "cvss3": {}, "published": "2014-12-02T00:00:00", "type": "zdt", "title": "TYPO3 Extension ke_questionnaire 2.5.2 Information Disclosure Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-8874"], "modified": "2014-12-02T00:00:00", "id": "1337DAY-ID-22957", "href": "https://0day.today/exploit/description/22957", "sourceData": "Information Disclosure in TYPO3 Extension ke_questionnaire\r\n\r\nThe TYPO3 extension ke_questionnaire stores answered questionnaires in a\r\npublicly reachable directory on the webserver with filenames that are\r\neasily guessable.\r\n\r\n\r\nDetails\r\n=======\r\n\r\nProduct: ke_questionnaire \r\nAffected Versions: 2.5.2 (possibly all versions)\r\nFixed Versions: unknown\r\nVulnerability Type: Information Disclosure\r\nSecurity Risk: medium\r\nVendor URL: http://kequestionnaire.kennziffer.com/\r\nVendor Status: notified\r\nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-009\r\nAdvisory Status: published\r\nCVE: CVE-2014-8874\r\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8874\r\n\r\n\r\nIntroduction\r\n============\r\n\r\n\"The TYPO3 extension kequestionnaire allows to easily and quickly create\r\nand evaluate individual questionnaires online in any TYPO3 website.\"\r\n\r\n(translated from the official website of ke_questionnaire)\r\n\r\n\r\nMore Details\r\n============\r\n\r\nFiles containing the answered questionnaires are stored in the\r\n\"typo3temp\" directory within the TYPO3 installation. As the source code\r\nof the ke_questionnaire extension shows, the filename of an answered\r\nquestionnaire is solely based on the questionnaire ID and the user ID of\r\nthe user who created the questionnaire.\r\n\r\nSource code (shortened):\r\n------------------------------------------------------------------------------\r\nfunction init() {\r\n global $BE_USER,$LANG,$BACK_PATH,$TCA_DESCR,$TCA,$CLIENT,$TYPO3_CONF_VARS;\r\n\r\n $this->temp_file = \\\r\n'tx_kequestionnaire_temp_'.$this->q_id.'_'.$GLOBALS['BE_USER']->user['uid'];\r\n [...]\r\n}\r\n[...]\r\nfunction createSchedulerTask(){\r\n $myVars = $GLOBALS['BE_USER']->getSessionData('tx_kequestionnaire');\r\n $file_path = PATH_site.'typo3temp/'.$this->temp_file;\r\n [...]\r\n}\r\n------------------------------------------------------------------------------\r\n\r\nA valid URL that returns the answers to a questionnaire could look like\r\nthe following:\r\n\r\nhttp://www.example.com/typo3temp/tx_kequestionnaire_temp_15999_7\r\n\r\n\r\n\r\nProof of Concept\r\n================\r\n\r\nUsing the tool wfuzz[1] it is possible to search for answers to\r\nquestionnaires on a TYPO3 site that employs ke_questionnaire:\r\n\r\n------------------------------------------------------------------------\r\n$ python wfuzz.py -c -z range,14000-15000 -z range,1-10 --hc 301 \\\r\n http://example.com/typo3temp/tx_kequestionnaire_temp_FUZZ_FUZ2Z\r\n------------------------------------------------------------------------\r\n\r\n\r\nWorkaround\r\n==========\r\n\r\nThe webserver config should deny access to answered questionnaire files,\r\nfor example by adding an .htaccess file that limits access to\r\ntx_kequestionnaire_* files (this may hinder online evaluation of the\r\nquestionnaires).\r\n\r\n\r\nFix\r\n===\r\n\r\nNo official fix available.\r\n\r\n\r\nSecurity Risk\r\n=============\r\n\r\nDepending on the questions in the questionnaire the answered\r\nquestionnaires may contain personal information including participants'\r\nfull names, addresses and so on. The risk therefore strongly depends on\r\nthe information supplied in the questionnaires. Since this information\r\nwill at least often contain email addresses, it is rated as at least a\r\nmedium risk.\r\n\r\n\r\nTimeline\r\n========\r\n\r\n2014-04-21 Vulnerability identified\r\n2014-04-30 Customer approved disclosure to vendor\r\n2014-05-13 Vendor notified\r\n2014-05-20 Vendor works with TYPO3 security team on a fix\r\n2014-06-15 Vendor releases updated version which according to them\r\n does not fix the issue\r\n2014-10-08 TYPO3 security team says the issue is still unresolved\r\n2014-11-04 Vendor continues to release updated versions, no response\r\n whether the security issue is fixed\r\n2014-11-14 CVE number assigned\r\n2014-12-01 Advisory released\r\n\r\n\r\nReferences\r\n==========\r\n\r\n[1] https://code.google.com/p/wfuzz/\n\n# 0day.today [2018-04-08] #", "sourceHref": "https://0day.today/exploit/22957", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:17:46", "description": "", "published": "2014-12-01T00:00:00", "type": "packetstorm", "title": "TYPO3 Extension ke_questionnaire 2.5.2 Information Disclosure", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-8874"], "modified": "2014-12-01T00:00:00", "id": "PACKETSTORM:129339", "href": "https://packetstormsecurity.com/files/129339/TYPO3-Extension-ke_questionnaire-2.5.2-Information-Disclosure.html", "sourceData": "`Advisory: Information Disclosure in TYPO3 Extension ke_questionnaire \n \nThe TYPO3 extension ke_questionnaire stores answered questionnaires in a \npublicly reachable directory on the webserver with filenames that are \neasily guessable. \n \n \nDetails \n======= \n \nProduct: ke_questionnaire \nAffected Versions: 2.5.2 (possibly all versions) \nFixed Versions: unknown \nVulnerability Type: Information Disclosure \nSecurity Risk: medium \nVendor URL: http://kequestionnaire.kennziffer.com/ \nVendor Status: notified \nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-009 \nAdvisory Status: published \nCVE: CVE-2014-8874 \nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8874 \n \n \nIntroduction \n============ \n \n\"The TYPO3 extension kequestionnaire allows to easily and quickly create \nand evaluate individual questionnaires online in any TYPO3 website.\" \n \n(translated from the official website of ke_questionnaire) \n \n \nMore Details \n============ \n \nFiles containing the answered questionnaires are stored in the \n\"typo3temp\" directory within the TYPO3 installation. As the source code \nof the ke_questionnaire extension shows, the filename of an answered \nquestionnaire is solely based on the questionnaire ID and the user ID of \nthe user who created the questionnaire. \n \nSource code (shortened): \n------------------------------------------------------------------------------ \nfunction init() { \nglobal $BE_USER,$LANG,$BACK_PATH,$TCA_DESCR,$TCA,$CLIENT,$TYPO3_CONF_VARS; \n \n$this->temp_file = \\ \n'tx_kequestionnaire_temp_'.$this->q_id.'_'.$GLOBALS['BE_USER']->user['uid']; \n[...] \n} \n[...] \nfunction createSchedulerTask(){ \n$myVars = $GLOBALS['BE_USER']->getSessionData('tx_kequestionnaire'); \n$file_path = PATH_site.'typo3temp/'.$this->temp_file; \n[...] \n} \n------------------------------------------------------------------------------ \n \nA valid URL that returns the answers to a questionnaire could look like \nthe following: \n \nhttp://www.example.com/typo3temp/tx_kequestionnaire_temp_15999_7 \n \n \n \nProof of Concept \n================ \n \nUsing the tool wfuzz[1] it is possible to search for answers to \nquestionnaires on a TYPO3 site that employs ke_questionnaire: \n \n------------------------------------------------------------------------ \n$ python wfuzz.py -c -z range,14000-15000 -z range,1-10 --hc 301 \\ \nhttp://example.com/typo3temp/tx_kequestionnaire_temp_FUZZ_FUZ2Z \n------------------------------------------------------------------------ \n \n \nWorkaround \n========== \n \nThe webserver config should deny access to answered questionnaire files, \nfor example by adding an .htaccess file that limits access to \ntx_kequestionnaire_* files (this may hinder online evaluation of the \nquestionnaires). \n \n \nFix \n=== \n \nNo official fix available. \n \n \nSecurity Risk \n============= \n \nDepending on the questions in the questionnaire the answered \nquestionnaires may contain personal information including participants' \nfull names, addresses and so on. The risk therefore strongly depends on \nthe information supplied in the questionnaires. Since this information \nwill at least often contain email addresses, it is rated as at least a \nmedium risk. \n \n \nTimeline \n======== \n \n2014-04-21 Vulnerability identified \n2014-04-30 Customer approved disclosure to vendor \n2014-05-13 Vendor notified \n2014-05-20 Vendor works with TYPO3 security team on a fix \n2014-06-15 Vendor releases updated version which according to them \ndoes not fix the issue \n2014-10-08 TYPO3 security team says the issue is still unresolved \n2014-11-04 Vendor continues to release updated versions, no response \nwhether the security issue is fixed \n2014-11-14 CVE number assigned \n2014-12-01 Advisory released \n \n \nReferences \n========== \n \n[1] https://code.google.com/p/wfuzz/ \n \n \nRedTeam Pentesting GmbH \n======================= \n \nRedTeam Pentesting offers individual penetration tests, short pentests, \nperformed by a team of specialised IT-security experts. Hereby, security \nweaknesses in company networks or products are uncovered and can be \nfixed immediately. \n \nAs there are only few experts in this field, RedTeam Pentesting wants to \nshare its knowledge and enhance the public knowledge with research in \nsecurity-related areas. The results are made available as public \nsecurity advisories. \n \nMore information about RedTeam Pentesting can be found at \nhttps://www.redteam-pentesting.de. \n \n-- \nRedTeam Pentesting GmbH Tel.: +49 241 510081-0 \nDennewartstr. 25-27 Fax : +49 241 510081-99 \n52068 Aachen https://www.redteam-pentesting.de \nGermany Registergericht: Aachen HRB 14004 \nGesch\u00e4ftsf\u00fchrer: Patrick Hof, Jens Liebchen \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/129339/rt-sa-2014-009.txt"}]}