Project

General

Profile

Actions
Copy link

Bug #19834

closed

Weak encryption key generation vulnerability in sysext install

Added by Marcus Krause almost 16 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Must have
Assignee:
Marcus Krause
Category:
Install Tool
Target version:
-
Start date:
2009-01-15
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.0
PHP Version:
5.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Versions:
4.0 up to trunk (4.0, 4.1, 4.2, trunk)

Problem:
The install tool generates encryption keys with a very low entropy.

Solution:
Use t3lib_div::generateRandomBytes() instead of the vulnerable JavaScript implementation.

Provided by TYPO3 Security Team
(issue imported from #M10154)

Files

Download all files
10154.diff (8.45 KB) 10154.diff Administrator Admin, 2009-01-16 02:28
10154_trunk_v1.diff (8.37 KB) 10154_trunk_v1.diff Administrator Admin, 2009-01-16 02:52
10154_4-2_v2.diff (9.82 KB) 10154_4-2_v2.diff Administrator Admin, 2009-01-16 02:57
10154_4-2_v3.diff (9.62 KB) 10154_4-2_v3.diff Administrator Admin, 2009-01-19 23:45
10154_4-1_v3.diff (9.53 KB) 10154_4-1_v3.diff Administrator Admin, 2009-01-19 23:45
10154_trunk_v3.diff (8.27 KB) 10154_trunk_v3.diff Administrator Admin, 2009-01-20 00:02
10154_4-0_v3.diff (8.28 KB) 10154_4-0_v3.diff Administrator Admin, 2009-01-20 00:03
10154_4-0_v4.diff (8.51 KB) 10154_4-0_v4.diff Administrator Admin, 2009-01-20 01:42
10154_4-1_v4.diff (9.82 KB) 10154_4-1_v4.diff Administrator Admin, 2009-01-20 01:42

Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Bug #19875: Missing files in sysext installClosedSteffen Kamper2009-01-21

Actions
Actions
Copy link

Also available in: Atom PDF