Bug #35300: Arguments of form __referrer are unserialized without a check - TYPO3.Flow - TYPO3 Forge

TYPO3 Flow Base Distribution TYPO3.Eel TYPO3.Flow TYPO3.Fluid TYPO3.Kickstart TYPO3.Welcome Packages Applications

Bug #35300

Arguments of form __referrer are unserialized without a check

Added by Andreas Förthner over 3 years ago. Updated over 3 years ago.

Status:

Resolved

Start date:

2012-03-28

Priority:

Must have

Due date:

2012-03-28

Assigned To:

Andreas Förthner

% Done:

100%

Category:

Security

Target version:

TYPO3 Flow Base Distribution - 1.0.4

PHP Version:

5.3

Complexity:

easy

Has patch:

Yes

Affected Flow version:

FLOW3 1.0.0

Description

The request arguments of the referring request are a serialized string written to one of the hidden fields in a Fluid form. As the string is not checked before unserializing it, it is possible to unserialized arbitrary available objects.

Solution: This string has to be protected by a HMAC to protect FLOW3 from possible unserialize attacks.

Associated revisions

Revision cd39af5d
Added by Andreas Förthner over 3 years ago

[SECURITY] Protect arguments of form __referrer with HMAC

The request arguments of the referring request are
a serialized string written to one of the hidden
fields in a Fluid form. This string has to be protected
by a HMAC to protect FLOW3 from possible unserialize
attacks.

Note: For now there is no object known within the FLOW3
Distribution, that could be used for an unserialize
exploit!

This change also backports some convenience hmac methods
to the hash service from the current master, to have the
bugfix in sync.

Change-Id: Ifeb87d0a85308f25cff2573a1ce2fc62dcd1e5fd
Security-Bulletin: FLOW3-SA-2012-001
Fixes: #35300
Releases: 1.0, 1.1

Revision dc464504
Added by Andreas Förthner over 3 years ago

[SECURITY] Protect arguments of form __referrer with HMAC

Note: For now there is no object known within the FLOW3
Distribution, that could be used for an unserialize
exploit!

Change-Id: I329f75052d2732f1baf4d26f6fd70cd9d009a65e
Security-Bulletin: FLOW3-SA-2012-001
Fixes: #35300
Releases: 1.0, 1.1

History

#1 Updated by Gerrit Code Review over 3 years ago

Status changed from New to Under Review

Patch set 3 for branch FLOW3-1.0 has been pushed to the review server.
It is available at http://review.typo3.org/9897

#2 Updated by Bastian Waidelich over 3 years ago

Shouldn't the target version be "Some version"? ;)

#3 Updated by Gerrit Code Review over 3 years ago

Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/9898

#4 Updated by Gerrit Code Review over 3 years ago

Patch set 3 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/9898

#5 Updated by Gerrit Code Review over 3 years ago

Patch set 4 for branch FLOW3-1.0 has been pushed to the review server.
It is available at http://review.typo3.org/9897

#6 Updated by Gerrit Code Review over 3 years ago

Patch set 1 for branch FLOW3-1.0 has been pushed to the review server.
It is available at http://review.typo3.org/9975

#7 Updated by Gerrit Code Review over 3 years ago

Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/9976

#8 Updated by Andreas Förthner over 3 years ago

Subject changed from some issue to Arguments of form __referrer are unserialized without a check
Priority changed from Should have to Must have
PHP Version set to 5.3