Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [month] [year] [list] 
Date: Mon, 16 Jun 2008 17:23:21 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE id request: TYPO3-20080611-1: Multiple
 vulnerabilities in      TYPO3 Core


======================================================
Name: CVE-2008-2717
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2717
Reference: BUGTRAQ:20080611 TYPO3 Security Bulletin TYPO3-20080611-1: Multiple vulnerabilities in TYPO3 Core
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/493270/100/0/threaded
Reference: CONFIRM:http://buzz.typo3.org/teams/security/article/advice-on-core-security-issue-regarding-filedenypattern/
Reference: CONFIRM:http://typo3.org/teams/security/security-bulletins/typo3-20080611-1/
Reference: DEBIAN:DSA-1596
Reference: URL:http://www.debian.org/security/2008/dsa-1596
Reference: FRSIRT:ADV-2008-1802
Reference: URL:http://www.frsirt.com/english/advisories/2008/1802
Reference: SECUNIA:30619
Reference: URL:http://secunia.com/advisories/30619
Reference: SECUNIA:30660
Reference: URL:http://secunia.com/advisories/30660

TYPO3 4.0.x before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.2.1,
uses an insufficiently restrictive default fileDenyPattern for Apache,
which allows remote attackers bypass security restrictions and upload
configuration files such as .htaccess, or conduct file upload attacks
using multiple extensions.


======================================================
Name: CVE-2008-2718
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2718
Reference: BUGTRAQ:20080611 TYPO3 Security Bulletin TYPO3-20080611-1: Multiple vulnerabilities in TYPO3 Core
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/493270/100/0/threaded
Reference: CONFIRM:http://typo3.org/teams/security/security-bulletins/typo3-20080611-1/
Reference: DEBIAN:DSA-1596
Reference: URL:http://www.debian.org/security/2008/dsa-1596
Reference: FRSIRT:ADV-2008-1802
Reference: URL:http://www.frsirt.com/english/advisories/2008/1802
Reference: SECUNIA:30619
Reference: URL:http://secunia.com/advisories/30619
Reference: SECUNIA:30660
Reference: URL:http://secunia.com/advisories/30660

Cross-site scripting (XSS) vulnerability in fe_adminlib.inc in TYPO3
4.0.x before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.2.1, as
used in extensions such as (1) direct_mail_subscription, (2)
feuser_admin, and (3) kb_md5fepw, allows remote attackers to inject
arbitrary web script or HTML via unspecified vectors.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux