Bug #35300
Arguments of form __referrer are unserialized without a check
Status: | Resolved | Start date: | 2012-03-28 | |
---|---|---|---|---|
Priority: | Must have | Due date: | 2012-03-28 | |
Assigned To: | Andreas Förthner | % Done: | 100% |
|
Category: | Security | |||
Target version: | TYPO3 Flow Base Distribution - 1.0.4 | |||
PHP Version: | 5.3 | Complexity: | easy | |
Has patch: | Yes | Affected Flow version: | FLOW3 1.0.0 |
Description
The request arguments of the referring request are a serialized string written to one of the hidden fields in a Fluid form. As the string is not checked before unserializing it, it is possible to unserialized arbitrary available objects.
Solution: This string has to be protected by a HMAC to protect FLOW3 from possible unserialize attacks.
Associated revisions
[SECURITY] Protect arguments of form __referrer with HMAC
The request arguments of the referring request are
a serialized string written to one of the hidden
fields in a Fluid form. This string has to be protected
by a HMAC to protect FLOW3 from possible unserialize
attacks.
Note: For now there is no object known within the FLOW3
Distribution, that could be used for an unserialize
exploit!
This change also backports some convenience hmac methods
to the hash service from the current master, to have the
bugfix in sync.
Change-Id: Ifeb87d0a85308f25cff2573a1ce2fc62dcd1e5fd
Security-Bulletin: FLOW3-SA-2012-001
Fixes: #35300
Releases: 1.0, 1.1
[SECURITY] Protect arguments of form __referrer with HMAC
The request arguments of the referring request are
a serialized string written to one of the hidden
fields in a Fluid form. This string has to be protected
by a HMAC to protect FLOW3 from possible unserialize
attacks.
Note: For now there is no object known within the FLOW3
Distribution, that could be used for an unserialize
exploit!
Change-Id: I329f75052d2732f1baf4d26f6fd70cd9d009a65e
Security-Bulletin: FLOW3-SA-2012-001
Fixes: #35300
Releases: 1.0, 1.1
History
#1 Updated by Gerrit Code Review over 3 years ago
- Status changed from New to Under Review
Patch set 3 for branch FLOW3-1.0 has been pushed to the review server.
It is available at http://review.typo3.org/9897
#2 Updated by Bastian Waidelich over 3 years ago
Shouldn't the target version be "Some version"? ;)
#3 Updated by Gerrit Code Review over 3 years ago
Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/9898
#4 Updated by Gerrit Code Review over 3 years ago
Patch set 3 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/9898
#5 Updated by Gerrit Code Review over 3 years ago
Patch set 4 for branch FLOW3-1.0 has been pushed to the review server.
It is available at http://review.typo3.org/9897
#6 Updated by Gerrit Code Review over 3 years ago
Patch set 1 for branch FLOW3-1.0 has been pushed to the review server.
It is available at http://review.typo3.org/9975
#7 Updated by Gerrit Code Review over 3 years ago
Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/9976
#8 Updated by Andreas Förthner over 3 years ago
- Subject changed from some issue to Arguments of form __referrer are unserialized without a check
- Priority changed from Should have to Must have
- PHP Version set to 5.3
#9 Updated by Andreas Förthner over 3 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset cd39af5dddd1695b499ca038c5add38d46436e4c.
#10 Updated by Gerrit Code Review over 3 years ago
- Status changed from Resolved to Under Review
Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/9976
#11 Updated by Gerrit Code Review over 3 years ago
Patch set 3 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/9976
#12 Updated by Gerrit Code Review over 3 years ago
Patch set 4 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/9976
#13 Updated by Andreas Förthner over 3 years ago
- Status changed from Under Review to Resolved
Applied in changeset dc46450431cf55667da03bfdd9c624291479d953.