Actions
Bug #19834
closedWeak encryption key generation vulnerability in sysext install
Start date:
2009-01-15
Due date:
% Done:
0%
Estimated time:
TYPO3 Version:
4.0
PHP Version:
5.2
Tags:
Complexity:
Is Regression:
Sprint Focus:
Description
Versions:
4.0 up to trunk (4.0, 4.1, 4.2, trunk)
Problem:
The install tool generates encryption keys with a very low entropy.
Solution:
Use t3lib_div::generateRandomBytes() instead of the vulnerable JavaScript implementation.
Provided by TYPO3 Security Team
(issue imported from #M10154)
Files
Updated by Marcus Krause almost 16 years ago
patch to be applied on 4-0 and 4-1 added (10154.diff)
Updated by Marcus Krause almost 16 years ago
added new versions of patches for 4-1 and 4-2:
- registration of AJAX-scripts in ext_localconf.php instead of global config_default.php
Updated by Helmut Hummel almost 16 years ago
upload reworked patches, use patches with the _v3 suffix for the commit!!
Updated by Marcus Krause almost 16 years ago
added _v4 patches for 4-0 and 4-1 as _v3 ones didn't apply properly - no functionality changes!
Updated by Ingo Renner almost 16 years ago
fixed in 4.0.10, 4.1.8, 4.2.4, and trunk
Actions