TYPO3 Security Bulletin

2008-06-19T00:00:00
ID TYPO3-20080619-1
Type typo3
Reporter TYPO3 Association
Modified 2008-06-19T00:00:00

Description

Several vulnerabilities have been found in TYPO3 third party extensions.

Please read first: This Collective Security Bulletin (CSB) is a listing of vulnerable extensions with neither significant
download numbers nor other special importance amongst the TYPO3 Community. The intention of CSBs is to reduce the workload of the TYPO3 Security Team and the authors or maintainers of the extensions with the issues. Nethertheless, vulnerabilities in TYPO3 core or important extensions will still get the well-known single Security Bulletin each.

Please read our buzz blog post, which has a detailed explanation on CSBs.

All vulnerabilities affect third party extensions. These extensions are not part of the TYPO3 default installation.

Extension: Frontend Filemanager (air_filemanager)
Affected Versions: 0.6.1 and all versions below
Vulnerability Type: Arbitrary code execution on Apache
Severity: HIGH
Solution: An updated version 0.6.2 is available from the TYPO3 extension manager and at
typo3.org/extensions/repository/view/air_filemanager/0.6.2/.
Credits: Credits go to Security Team member Marcus Krause, who discovered and reported the issue.


Extension:
CoolURI (cooluri)
Affected Versions: 1.0.11 and all versions below
Vulnerability Type: SQL Injection
Severity: HIGH
Solution: An updated version 1.0.12 is available from the TYPO3 extension manager and at
typo3.org/extensions/repository/view/cooluri/1.0.12/.
Note: At the time of this writing, the most recent version of CoolURI is version 1.0.14 which is available at typo3.org/extensions/repository/view/cooluri/1.0.14/.
Credits:
Credits go to Dmitry Dulepov and Jigal van Hemert who discovered and reported the issue.


Extension: DCD GoogleMap (dcdgooglemap)
Affected Versions: 1.1.0 and all versions below
Vulnerability Type: Cross Site Scripting (XSS)
Severity: Medium
Solution: An updated version 1.1.1 is available from the TYPO3 extension manager and at
typo3.org/extensions/repository/view/dcdgooglemap/1.1.1/.
Credits: Credits go to Jochen Rau, who discovered and reported the issue.

Extension: JobControl (dmmjobcontrol)
Affected Versions: 1.15.0 and all versions below
Vulnerability Type: SQL Injection, Cross Site Scripting (XSS)
Severity: HIGH
Solution: An updated version 1.15.1 is available from the TYPO3 extension manager and at
typo3.org/extensions/repository/view/dmmjobcontrol/1.15.1/.
Note: At the time of this writing, the most recent version of JobControl is version 1.15.2 which is available at
typo3.org/extensions/repository/view/dmmjobcontrol/1.15.2/.
Credits: Credits go to Marc Bastian Heinrichs, who discovered and reported the issues.

Extension: nepa-design.de Spam Protection (nd_antispam)
Affected Versions: 1.0.3
Vulnerability Type: External Setting Manipulation
Severity: low
Solution: This extension is no longer maintained by the author. Please uninstall and delete the extension folder from your installation. The extension will no longer be available in the TYPO3 Extension Repository.
Credits: Credits go to Patrick Broens, who discovered and reported the issue.

Extension: Diocese of Portsmouth Calendar Today (pd_calendar_today)
Affected Versions: 0.0.3 and all versions below
Vulnerability Type: SQL Injection
Severity: HIGH
Solution: This extension is no longer maintained by the author. Please uninstall and delete the extension folder from your installation. The extension will no longer be available in the TYPO3 Extension Repository.
Credits: Credits go to Georg Ringer, who discovered and reported the issue.

Extension: Diocese of Portsmouth Training Courses (pd_trainingcourses)
Affected Versions: 0.1.1
Vulnerability Type: SQL Injection
Severity: HIGH
Solution: This extension is no longer maintained by the author. Please uninstall and delete the extension folder from your installation. The extension will no longer be available in the TYPO3 Extension Repository.
Credits: Credits go to Georg Ringer, who discovered and reported the issue.

Extension: Download system (sb_downloader)
Affected Versions: 0.1.4 and all versions below
Vulnerability Type: SQL Injection
Severity: HIGH
Solution: An updated version 0.1.5 is available from the TYPO3 extension manager and at
typo3.org/extensions/repository/view/sb_downloader/0.1.5/.
Note: At the time of this writing, the most recent version of JobControl is version 0.1.7 which is available at
typo3.org/extensions/repository/view/sb_downloader/0.1.7/.
Credits: Credits go to Georg Ringer, who discovered and reported the issue.

Extension: Random Prayer (ste_prayer)
Affected Versions: 0.0.1
Vulnerability Type: SQL Injection
Severity: HIGH
Solution: This extension is no longer maintained by the author. Please uninstall and delete the extension folder from your installation. The extension will no longer be available in the TYPO3 Extension Repository.
Credits: Credits go to Georg Ringer, who discovered and reported the issue.

Extension: TIMTAB - social bookmark icons (timtab_sociable)
Affected Versions: 2.0.4 and all versions below
Vulnerability Type: SQL Injection
Severity: HIGH
Solution: An updated version 2.0.5 is available from the TYPO3 extension manager and at
typo3.org/extensions/repository/view/timtab_sociable/2.0.5/.
Credits: Credits go to Dmitry Dulepov, who discovered and reported the issue.

Extension: Resource Library (tjs_reslib)
Affected Versions: 0.1.0 and all versions below
Vulnerability Type: Cross Site Scripting (XSS)
Severity: Medium
Solution: This extension is no longer maintained by the author. Please uninstall and delete the extension folder from your installation. The extension will no longer be available in the TYPO3 Extension Repository.
Credits: Credits go to Security Team member Marcus Krause, who discovered and reported the issue.

Extension: Fussballtippspiel (toto)
Affected Versions: 0.1.1 and all versions below
Vulnerability Type: SQL Injection
Severity: HIGH
Solution: An updated version 0.1.2 is available from the TYPO3 extension manager and at
typo3.org/extensions/repository/view/toto/0.1.2/.
Credits: Credits go to Security Team member Henning Pingel, who discovered and reported the issue.

Extension: TARGET-E WorldCup Bets (worldcup)
Affected Versions: 2.0.0 and all versions below
Vulnerability Type: SQL Injection, Cross Site Scripting (XSS)
Severity: HIGH
Solution: An updated version 2.0.1 is available from the TYPO3 extension manager and at
typo3.org/extensions/repository/view/worldcup/2.0.1/.
Credits: Credits go to Martin Holtz and Security Team member Marcus Krause,
who discovered and reported the issues.

General advice: Follow the recommendations that are given in the TYPO3 Security Cookbook. Please subscribe to the typo3-announce mailing list in order to receive future Security Bulletins via E-mail.