Project

General

Profile

Actions
Copy link

Bug #19834

closed

Weak encryption key generation vulnerability in sysext install

Added by Marcus Krause over 15 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Must have
Assignee:
Marcus Krause
Category:
Install Tool
Target version:
-
Start date:
2009-01-15
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.0
PHP Version:
5.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Versions:
4.0 up to trunk (4.0, 4.1, 4.2, trunk)

Problem:
The install tool generates encryption keys with a very low entropy.

Solution:
Use t3lib_div::generateRandomBytes() instead of the vulnerable JavaScript implementation.

Provided by TYPO3 Security Team
(issue imported from #M10154)

Files

Download all files
10154.diff (8.45 KB) 10154.diff Administrator Admin, 2009-01-16 02:28
10154_trunk_v1.diff (8.37 KB) 10154_trunk_v1.diff Administrator Admin, 2009-01-16 02:52
10154_4-2_v2.diff (9.82 KB) 10154_4-2_v2.diff Administrator Admin, 2009-01-16 02:57
10154_4-2_v3.diff (9.62 KB) 10154_4-2_v3.diff Administrator Admin, 2009-01-19 23:45
10154_4-1_v3.diff (9.53 KB) 10154_4-1_v3.diff Administrator Admin, 2009-01-19 23:45
10154_trunk_v3.diff (8.27 KB) 10154_trunk_v3.diff Administrator Admin, 2009-01-20 00:02
10154_4-0_v3.diff (8.28 KB) 10154_4-0_v3.diff Administrator Admin, 2009-01-20 00:03
10154_4-0_v4.diff (8.51 KB) 10154_4-0_v4.diff Administrator Admin, 2009-01-20 01:42
10154_4-1_v4.diff (9.82 KB) 10154_4-1_v4.diff Administrator Admin, 2009-01-20 01:42

Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Bug #19875: Missing files in sysext installClosedSteffen Kamper2009-01-21

Actions
Actions
Copy link
 #1

Updated by Marcus Krause over 15 years ago

patch added for trunk

Actions
Copy link
 #2

Updated by Marcus Krause over 15 years ago

patch added for 4-2

Actions
Copy link
 #3

Updated by Marcus Krause over 15 years ago

patch to be applied on 4-0 and 4-1 added (10154.diff)

Actions
Copy link
 #4

Updated by Marcus Krause over 15 years ago

added new versions of patches for 4-1 and 4-2:
- registration of AJAX-scripts in ext_localconf.php instead of global config_default.php

Actions
Copy link
 #5

Updated by Marcus Krause over 15 years ago

ready to be committed

Actions
Copy link
 #6

Updated by Helmut Hummel over 15 years ago

upload reworked patches, use patches with the _v3 suffix for the commit!!

Actions
Copy link
 #7

Updated by Marcus Krause over 15 years ago

added _v4 patches for 4-0 and 4-1 as _v3 ones didn't apply properly - no functionality changes!

Actions
Copy link
 #8

Updated by Ingo Renner over 15 years ago

fixed in 4.0.10, 4.1.8, 4.2.4, and trunk

Actions
Copy link
 #9

Updated by Benni Mack over 5 years ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF