=========================================================================

Arcus Security Advisory

=========================================================================

Product:  TYPO3 [1]
Vendor:   TYPO3
CVE ID:   2016-5091 
Subject:  Extbase Missing Access Check
TYPO3-SA: TYPO3-CORE-SA-2016-013 [2]
Risk:     High
Author:   Stefan Horlacher
Date:     2016-05-26

=========================================================================

Description:
------------
The request handling implementation of the Extbase fails to properly
check if access to a controller / action is permitted. Therefore, it
is possible to execute arbitrary Extbase actions. To exploit the 
vulnerability an attacker needs access to at least one Extbase plugin 
or module.

Depending on the actions executed / available the impact can vary from 
information disclosure up to remove code execution.

Vulnerable:
-----------
4.3.0 up to 8.1.0

Workaround / Fix:
-----------------
Update to one of the following versions:
6.2.24
7.6.8
8.1.1

Alternatively, it is possible to manually apply the patch. [2]
As another alternative solution, TYPO3 provides a script which will patch all affected versions. [2]


Timeline:
---------
2016-05-11: Vulnerability identified
2016-05-11: Contacted TYPO3 Security Team
2016-05-11: Contacted Alexander Kellner
2016-05-18: Detailed information sent to the TYPO3 Security Team
2016-05-20: TYPO3 Pre-Announcement released
2016-05-22: Vulnerability confirmed
2016-05-24: TYPO3 released a patched version

References:
-----------
[1] https://typo3.org/
[2] https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013/


=========================================================================

Arcus Security GmbH

Sihlquai 253
Postfach
8031 Zurich

Tel.: +41 (0)44 271 44 00
Mail: info at arcus-security dot ch
www.arcus-security.ch

=========================================================================