Everything you need to know about the TYPO3 Security Team (T3DD10)

•

5 likes•2,637 views

Oliver Klee

Technology News & Politics

Andreas Förthner
Helmut Hummel V5 team leader
V4 team leader Lars E.D. Jensen

Marcus Krause

Making TYPO3
more secure since 2004
Rove Monteaux Georg Ringer

Dmitry Dulepov Jochen Weiland
Oliver Klee

We handle reports,
create patches
and educate

There are good
vulnerability reports …
Subject: SQL injection in tx_moo 5.2.9

Dear security team,
I think I‘ve found an SQL injection vulnerability in the
extension tx_moo version 5.2.9.
In line 145 of the tx_moo_pi1 class, $pivars['uid'] is not
escaped:

$res = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
'*', 'tx_moo_cows', 'uid = ' . $this->piVars['uid']
);

... and there are the others.

http://typo3.org/teams/security/resources/
Slides: TYPO3 website hacked

... and there are the others.
Subject: My site got hacked!

Hi,
I think my TYPO3 site got hacked. There suddenly is
another user, and there's some strange JavaScript on all
my pages. What can I do?

http://typo3.org/teams/security/resources/
Slides: TYPO3 website hacked

We coordinate extension
security ﬁxes with the
extension authors

We coordinate extension
security ﬁxes with the
extension authors

report to
security@typo3.org

We coordinate extension
security ﬁxes with the
extension authors

report to automatic post to
security@typo3.org security newsgroup &
trouble ticket system

We coordinate extension
security ﬁxes with the
extension authors

report to automatic post to
security@typo3.org security newsgroup & issue is real
trouble ticket system

We coordinate extension
security ﬁxes with the
extension authors reply

no

report to automatic post to
security@typo3.org security newsgroup & issue is real
trouble ticket system

We coordinate extension
security ﬁxes with the
extension authors reply

no

report to automatic post to yes
security@typo3.org security newsgroup & issue is real reply
trouble ticket system

We cooperate with the
Core Team in ﬁxing issues reply

no

report to automatic post to yes
security@typo3.org security newsgroup & issue is real reply
trouble ticket system

We follow a
resp onsible
(limited)
d isclosure
policy

We offer

extension
reviews
but they
are very

time-
consuming

Support the Security Team
via the
TYPO3 Assocation

What's hot

Network security

Akhilesh Jain

Core Insight Enterprise 5min

Nsolera

02 introduction to network security

Joe McCarthy

Pentesting with Metasploit

Prakashchand Suthar

Operating system vulnerability and control

أحلام انصارى

Dio - Aplicativos resilientes e seguros em Swift.

Thales Frigo

What's hot (6)

Network security

Core Insight Enterprise 5min

02 introduction to network security

Pentesting with Metasploit

Operating system vulnerability and control

Dio - Aplicativos resilientes e seguros em Swift.

Viewers also liked

Mongodb open source_high_performance_database

Murat Çakal

Cassandra NoSQL

Murat Çakal

Edisi 06 - Bermain dengan Infrastruktur Virtual (VMware® vSphere)

Hendra Nugraha

No sql

Murat Çakal

Wmware NoSQL

Murat Çakal

Scaling web applications with cassandra presentation

Murat Çakal

REST vs. SOAP

Murat Çakal

Viewers also liked (7)

Mongodb open source_high_performance_database

Cassandra NoSQL

Edisi 06 - Bermain dengan Infrastruktur Virtual (VMware® vSphere)

No sql

Wmware NoSQL

Scaling web applications with cassandra presentation

REST vs. SOAP

Recently uploaded

Advantages of Hiring UIUX Design Service Providers for Your Business

Pixlogix Infotech

Real Time Object Detection Using Open CV

Khem

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

What are drone anti-jamming systems? The drone anti-jamming systems and anti-spoof technology protect against interference, jamming, and spoofing of the UAVs. To protect their security, countries are beginning to research drone anti-jamming systems, also known as drone strike weapons. The anti-jam and anti-spoof technology protects against interference, jamming and spoofing. A drone strike weapon is a drone attack weapon that can attack and destroy enemy drones. So what is so unique about this amazing system?

What Are The Drone Anti-jamming Systems Technology?

Antenna Manufacturer Coco

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Developing An App To Navigate The Roads of Brazil

V3cube

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

Finology Group – Insurtech Innovation Award 2024

The Digital Insurer

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

Scaling API-first – The story of a global engineering organization

Radu Cotescu

Enterprise Knowledge’s Urmi Majumder, Principal Data Architecture Consultant, and Fernando Aguilar Islas, Senior Data Science Consultant, presented "Driving Behavioral Change for Information Management through Data-Driven Green Strategy" on March 27, 2024 at Enterprise Data World (EDW) in Orlando, Florida. In this presentation, Urmi and Fernando discussed a case study describing how the information management division in a large supply chain organization drove user behavior change through awareness of the carbon footprint of their duplicated and near-duplicated content, identified via advanced data analytics. Check out their presentation to gain valuable perspectives on utilizing data-driven strategies to influence positive behavioral shifts and support sustainability initiatives within your organization. In this session, participants gained answers to the following questions: - What is a Green Information Management (IM) Strategy, and why should you have one? - How can Artificial Intelligence (AI) and Machine Learning (ML) support your Green IM Strategy through content deduplication? - How can an organization use insights into their data to influence employee behavior for IM? - How can you reap additional benefits from content reduction that go beyond Green IM?

Driving Behavioral Change for Information Management through Data-Driven Gree...

Enterprise Knowledge

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Histor y of HAM Radio presentation slide

vu2urc

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

A Domino Admins Adventures (Engage 2024)

Gabriella Davis

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

Recently uploaded (20)

Advantages of Hiring UIUX Design Service Providers for Your Business

Real Time Object Detection Using Open CV

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

Strategies for Landing an Oracle DBA Job as a Fresher

What Are The Drone Anti-jamming Systems Technology?

Data Cloud, More than a CDP by Matt Robison

Exploring the Future Potential of AI-Enabled Smartphone Processors

Developing An App To Navigate The Roads of Brazil

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

Finology Group – Insurtech Innovation Award 2024

A Year of the Servo Reboot: Where Are We Now?

presentation ICT roal in 21st century education

Scaling API-first – The story of a global engineering organization

Driving Behavioral Change for Information Management through Data-Driven Gree...

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Histor y of HAM Radio presentation slide

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

A Domino Admins Adventures (Engage 2024)

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Everything you need to know about the TYPO3 Security Team (T3DD10)

1. Everything you need to know about the TYPO3 Security Team Oliver Klee, T3DD10

2. Making TYPO3 more secure since 2004

3. Andreas Förthner Helmut Hummel V5 team leader V4 team leader Lars E.D. Jensen Marcus Krause Making TYPO3 more secure since 2004 Rove Monteaux Georg Ringer Dmitry Dulepov Jochen Weiland Oliver Klee

4. We handle reports, create patches and educate

5. It‘sthenot about money

6. There are good vulnerability reports …

7. There are good vulnerability reports … Subject: SQL injection in tx_moo 5.2.9 Dear security team, I think I‘ve found an SQL injection vulnerability in the extension tx_moo version 5.2.9. In line 145 of the tx_moo_pi1 class, $pivars['uid'] is not escaped: $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery( '*', 'tx_moo_cows', 'uid = ' . $this->piVars['uid'] );

8. ... and there are the others. http://typo3.org/teams/security/resources/ Slides: TYPO3 website hacked

9. ... and there are the others. Subject: My site got hacked! Hi, I think my TYPO3 site got hacked. There suddenly is another user, and there's some strange JavaScript on all my pages. What can I do? http://typo3.org/teams/security/resources/ Slides: TYPO3 website hacked

10. We coordinate extension security ﬁxes with the extension authors

11. We coordinate extension security ﬁxes with the extension authors report to security@typo3.org

12. We coordinate extension security ﬁxes with the extension authors report to automatic post to security@typo3.org security newsgroup & trouble ticket system

13. We coordinate extension security ﬁxes with the extension authors report to automatic post to security@typo3.org security newsgroup & issue is real trouble ticket system

14. We coordinate extension security ﬁxes with the extension authors reply no report to automatic post to security@typo3.org security newsgroup & issue is real trouble ticket system

15. We coordinate extension security ﬁxes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system

16. We coordinate extension security ﬁxes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system e-mail to extension author

17. We coordinate extension security ﬁxes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system author e-mail to replies extension author

18. We coordinate extension security ﬁxes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system author e-mail to replies extension author no remove extension from TER

19. We coordinate extension security ﬁxes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system author e-mail to replies extension author no remove SecTeam extension releases from TER bulletin

20. We coordinate extension security ﬁxes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system extension is yes author e-mail to still maintained replies extension author no remove SecTeam extension releases from TER bulletin

21. We coordinate extension security ﬁxes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author no remove SecTeam extension releases from TER bulletin

22. We coordinate extension security ﬁxes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no author SecTeam creates patch remove extension releases from TER bulletin

23. We coordinate extension security ﬁxes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin

24. We coordinate extension security ﬁxes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin patch is okay

25. We coordinate extension security ﬁxes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin no patch is okay

26. We coordinate extension security ﬁxes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin no patch author or SecTeam is okay releases new version yes

27. We coordinate extension security ﬁxes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin no patch author or SecTeam SecTeam marks is okay releases new version old versions in yes TER as insecure

28. We coordinate extension security ﬁxes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin no patch author or SecTeam SecTeam marks SecTeam is okay releases new version old versions in releases yes TER as insecure bulletin

29. We cooperate with the Core Team in ﬁxing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system

30. We cooperate with the Core Team in ﬁxing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system SecTeam or CoreTeam creates patch

31. We cooperate with the Core Team in ﬁxing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system post patch to SecTeam or core-security CoreTeam creates patch

32. We cooperate with the Core Team in ﬁxing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system post patch to SecTeam or Reviews CoreTeam core-security creates patch

33. We cooperate with the Core Team in ﬁxing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system post patch to SecTeam or Reviews CoreTeam core-security creates patch -1

34. We cooperate with the Core Team in ﬁxing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system +1 by Core Team post patch to SecTeam or Reviews CoreTeam core-security creates patch +1 by Sec Team -1 release manager collects patches

35. We cooperate with the Core Team in ﬁxing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system +1 by Core Team post patch to SecTeam or Reviews CoreTeam core-security creates patch +1 by Sec Team -1 release manager release manager collects patches releases security release

36. We cooperate with the Core Team in ﬁxing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system +1 by Core Team post patch to SecTeam or Reviews CoreTeam core-security creates patch +1 by Sec Team -1 release manager release manager SecTeam collects patches releases security releases release bulletin

37. We follow a resp onsible (limited) d isclosure policy

38. We offer extension reviews but they are very time- consuming

39. Support the Security Team via the TYPO3 Assocation

40. Questions?

41. Thank you.

Editor's Notes

- who has been contact - who has subscribed to typo3-announce - who has reported a vulnerability
- handle extension and core vulnerability reports - answer security-related questions, educate people - do paid extension reviews - create and review Core security fixes
- contribute to make TYPO3 & the web more secure - we learn a lot - it&#x2018;s fun (team) - mostly unpaid, some projects/tasks have a budged: 4.3.0 patches, Incident Handling System
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- != full disclosure - least necessary information, responsible disclure - no PoC, keine Infos ohne Fix
- time-consuming - only on demaid, and paid (contact us, price) - only for one version - concept or &#x201E;reviewed extensions&#x201C; in the TER is dead, still helpful
- become an association member - donate to the association - create great reports

Everything you need to know about the TYPO3 Security Team (T3DD10)

Recommended

Recommended

More Related Content

What's hot

What's hot (6)

Viewers also liked

Viewers also liked (7)

More from Oliver Klee

More from Oliver Klee (15)

Recently uploaded

Recently uploaded (20)

Everything you need to know about the TYPO3 Security Team (T3DD10)

Editor's Notes