3. Andreas Förthner
Helmut Hummel V5 team leader
V4 team leader Lars E.D. Jensen
Marcus Krause
Making TYPO3
more secure since 2004
Rove Monteaux Georg Ringer
Dmitry Dulepov Jochen Weiland
Oliver Klee
7. There are good
vulnerability reports …
Subject: SQL injection in tx_moo 5.2.9
Dear security team,
I think I‘ve found an SQL injection vulnerability in the
extension tx_moo version 5.2.9.
In line 145 of the tx_moo_pi1 class, $pivars['uid'] is not
escaped:
$res = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
'*', 'tx_moo_cows', 'uid = ' . $this->piVars['uid']
);
8. ... and there are the others.
http://typo3.org/teams/security/resources/
Slides: TYPO3 website hacked
9. ... and there are the others.
Subject: My site got hacked!
Hi,
I think my TYPO3 site got hacked. There suddenly is
another user, and there's some strange JavaScript on all
my pages. What can I do?
http://typo3.org/teams/security/resources/
Slides: TYPO3 website hacked
12. We coordinate extension
security fixes with the
extension authors
report to automatic post to
security@typo3.org security newsgroup &
trouble ticket system
13. We coordinate extension
security fixes with the
extension authors
report to automatic post to
security@typo3.org security newsgroup & issue is real
trouble ticket system
14. We coordinate extension
security fixes with the
extension authors reply
no
report to automatic post to
security@typo3.org security newsgroup & issue is real
trouble ticket system
15. We coordinate extension
security fixes with the
extension authors reply
no
report to automatic post to yes
security@typo3.org security newsgroup & issue is real reply
trouble ticket system
16. We coordinate extension
security fixes with the
extension authors reply
no
report to automatic post to yes
security@typo3.org security newsgroup & issue is real reply
trouble ticket system
e-mail to
extension
author
17. We coordinate extension
security fixes with the
extension authors reply
no
report to automatic post to yes
security@typo3.org security newsgroup & issue is real reply
trouble ticket system
author e-mail to
replies extension
author
18. We coordinate extension
security fixes with the
extension authors reply
no
report to automatic post to yes
security@typo3.org security newsgroup & issue is real reply
trouble ticket system
author e-mail to
replies extension
author
no
remove
extension
from TER
19. We coordinate extension
security fixes with the
extension authors reply
no
report to automatic post to yes
security@typo3.org security newsgroup & issue is real reply
trouble ticket system
author e-mail to
replies extension
author
no
remove SecTeam
extension releases
from TER bulletin
20. We coordinate extension
security fixes with the
extension authors reply
no
report to automatic post to yes
security@typo3.org security newsgroup & issue is real reply
trouble ticket system
extension is yes author e-mail to
still maintained replies extension
author
no
remove SecTeam
extension releases
from TER bulletin
21. We coordinate extension
security fixes with the
extension authors reply
no
report to automatic post to yes
security@typo3.org security newsgroup & issue is real reply
trouble ticket system
remove extension, no extension is yes author e-mail to
bulletin still maintained replies extension
author
no
remove SecTeam
extension releases
from TER bulletin
22. We coordinate extension
security fixes with the
extension authors reply
no
report to automatic post to yes
security@typo3.org security newsgroup & issue is real reply
trouble ticket system
remove extension, no extension is yes author e-mail to
bulletin still maintained replies extension
author
yes no
author SecTeam
creates patch remove
extension releases
from TER bulletin
23. We coordinate extension
security fixes with the
extension authors reply
no
report to automatic post to yes
security@typo3.org security newsgroup & issue is real reply
trouble ticket system
remove extension, no extension is yes author e-mail to
bulletin still maintained replies extension
author
yes no
SecTeam author SecTeam
reviews patch creates patch remove
extension releases
from TER bulletin
24. We coordinate extension
security fixes with the
extension authors reply
no
report to automatic post to yes
security@typo3.org security newsgroup & issue is real reply
trouble ticket system
remove extension, no extension is yes author e-mail to
bulletin still maintained replies extension
author
yes no
SecTeam author SecTeam
reviews patch creates patch remove
extension releases
from TER bulletin
patch
is okay
25. We coordinate extension
security fixes with the
extension authors reply
no
report to automatic post to yes
security@typo3.org security newsgroup & issue is real reply
trouble ticket system
remove extension, no extension is yes author e-mail to
bulletin still maintained replies extension
author
yes no
SecTeam author SecTeam
reviews patch creates patch remove
extension releases
from TER bulletin
no
patch
is okay
26. We coordinate extension
security fixes with the
extension authors reply
no
report to automatic post to yes
security@typo3.org security newsgroup & issue is real reply
trouble ticket system
remove extension, no extension is yes author e-mail to
bulletin still maintained replies extension
author
yes no
SecTeam author SecTeam
reviews patch creates patch remove
extension releases
from TER bulletin
no
patch author or SecTeam
is okay releases new version
yes
27. We coordinate extension
security fixes with the
extension authors reply
no
report to automatic post to yes
security@typo3.org security newsgroup & issue is real reply
trouble ticket system
remove extension, no extension is yes author e-mail to
bulletin still maintained replies extension
author
yes no
SecTeam author SecTeam
reviews patch creates patch remove
extension releases
from TER bulletin
no
patch author or SecTeam SecTeam marks
is okay releases new version old versions in
yes TER as insecure
28. We coordinate extension
security fixes with the
extension authors reply
no
report to automatic post to yes
security@typo3.org security newsgroup & issue is real reply
trouble ticket system
remove extension, no extension is yes author e-mail to
bulletin still maintained replies extension
author
yes no
SecTeam author SecTeam
reviews patch creates patch remove
extension releases
from TER bulletin
no
patch author or SecTeam SecTeam marks SecTeam
is okay releases new version old versions in releases
yes TER as insecure bulletin
29. We cooperate with the
Core Team in fixing issues reply
no
report to automatic post to yes
security@typo3.org security newsgroup & issue is real reply
trouble ticket system
30. We cooperate with the
Core Team in fixing issues reply
no
report to automatic post to yes
security@typo3.org security newsgroup & issue is real reply
trouble ticket system
SecTeam or
CoreTeam
creates patch
31. We cooperate with the
Core Team in fixing issues reply
no
report to automatic post to yes
security@typo3.org security newsgroup & issue is real reply
trouble ticket system
post patch to SecTeam or
core-security CoreTeam
creates patch
32. We cooperate with the
Core Team in fixing issues reply
no
report to automatic post to yes
security@typo3.org security newsgroup & issue is real reply
trouble ticket system
post patch to SecTeam or
Reviews CoreTeam
core-security creates patch
33. We cooperate with the
Core Team in fixing issues reply
no
report to automatic post to yes
security@typo3.org security newsgroup & issue is real reply
trouble ticket system
post patch to SecTeam or
Reviews CoreTeam
core-security creates patch
-1
34. We cooperate with the
Core Team in fixing issues reply
no
report to automatic post to yes
security@typo3.org security newsgroup & issue is real reply
trouble ticket system
+1 by Core Team post patch to SecTeam or
Reviews CoreTeam
core-security creates patch
+1 by Sec Team
-1
release manager
collects patches
35. We cooperate with the
Core Team in fixing issues reply
no
report to automatic post to yes
security@typo3.org security newsgroup & issue is real reply
trouble ticket system
+1 by Core Team post patch to SecTeam or
Reviews CoreTeam
core-security creates patch
+1 by Sec Team
-1
release manager release manager
collects patches releases security
release
36. We cooperate with the
Core Team in fixing issues reply
no
report to automatic post to yes
security@typo3.org security newsgroup & issue is real reply
trouble ticket system
+1 by Core Team post patch to SecTeam or
Reviews CoreTeam
core-security creates patch
+1 by Sec Team
-1
release manager release manager SecTeam
collects patches releases security releases
release bulletin
- who has been contact
- who has subscribed to typo3-announce
- who has reported a vulnerability
- handle extension and core vulnerability reports
- answer security-related questions, educate people
- do paid extension reviews
- create and review Core security fixes
- contribute to make TYPO3 & the web more secure
- we learn a lot
- it‘s fun (team)
- mostly unpaid, some projects/tasks have a budged: 4.3.0 patches, Incident Handling System
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- Incident Handling System will automate some steps
- != full disclosure
- least necessary information, responsible disclure
- no PoC, keine Infos ohne Fix
- time-consuming
- only on demaid, and paid (contact us, price)
- only for one version
- concept or „reviewed extensions“ in the TER is dead, still helpful
- become an association member
- donate to the association
- create great reports