Everything you need to know about the TYPO3 Security Team (T3DD10)

1,951 views
1,892 views

Published on

Published in: Technology, News & Politics
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,951
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide
  • - who has been contact
    - who has subscribed to typo3-announce
    - who has reported a vulnerability









  • - handle extension and core vulnerability reports
    - answer security-related questions, educate people
    - do paid extension reviews
    - create and review Core security fixes
  • - contribute to make TYPO3 & the web more secure
    - we learn a lot
    - it‘s fun (team)
    - mostly unpaid, some projects/tasks have a budged: 4.3.0 patches, Incident Handling System


  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps







  • - != full disclosure
    - least necessary information, responsible disclure
    - no PoC, keine Infos ohne Fix
  • - time-consuming
    - only on demaid, and paid (contact us, price)
    - only for one version
    - concept or „reviewed extensions“ in the TER is dead, still helpful
  • - become an association member
    - donate to the association
    - create great reports


  • Everything you need to know about the TYPO3 Security Team (T3DD10)

    1. 1. Everything you need to know about the TYPO3 Security Team Oliver Klee, T3DD10
    2. 2. Making TYPO3 more secure since 2004
    3. 3. Andreas Förthner Helmut Hummel V5 team leader V4 team leader Lars E.D. Jensen Marcus Krause Making TYPO3 more secure since 2004 Rove Monteaux Georg Ringer Dmitry Dulepov Jochen Weiland Oliver Klee
    4. 4. We handle reports, create patches and educate
    5. 5. It‘sthenot about money
    6. 6. There are good vulnerability reports …
    7. 7. There are good vulnerability reports … Subject: SQL injection in tx_moo 5.2.9 Dear security team, I think I‘ve found an SQL injection vulnerability in the extension tx_moo version 5.2.9. In line 145 of the tx_moo_pi1 class, $pivars['uid'] is not escaped: $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery( '*', 'tx_moo_cows', 'uid = ' . $this->piVars['uid'] );
    8. 8. ... and there are the others. http://typo3.org/teams/security/resources/ Slides: TYPO3 website hacked
    9. 9. ... and there are the others. Subject: My site got hacked! Hi, I think my TYPO3 site got hacked. There suddenly is another user, and there's some strange JavaScript on all my pages. What can I do? http://typo3.org/teams/security/resources/ Slides: TYPO3 website hacked
    10. 10. We coordinate extension security fixes with the extension authors
    11. 11. We coordinate extension security fixes with the extension authors report to security@typo3.org
    12. 12. We coordinate extension security fixes with the extension authors report to automatic post to security@typo3.org security newsgroup & trouble ticket system
    13. 13. We coordinate extension security fixes with the extension authors report to automatic post to security@typo3.org security newsgroup & issue is real trouble ticket system
    14. 14. We coordinate extension security fixes with the extension authors reply no report to automatic post to security@typo3.org security newsgroup & issue is real trouble ticket system
    15. 15. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system
    16. 16. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system e-mail to extension author
    17. 17. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system author e-mail to replies extension author
    18. 18. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system author e-mail to replies extension author no remove extension from TER
    19. 19. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system author e-mail to replies extension author no remove SecTeam extension releases from TER bulletin
    20. 20. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system extension is yes author e-mail to still maintained replies extension author no remove SecTeam extension releases from TER bulletin
    21. 21. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author no remove SecTeam extension releases from TER bulletin
    22. 22. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no author SecTeam creates patch remove extension releases from TER bulletin
    23. 23. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin
    24. 24. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin patch is okay
    25. 25. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin no patch is okay
    26. 26. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin no patch author or SecTeam is okay releases new version yes
    27. 27. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin no patch author or SecTeam SecTeam marks is okay releases new version old versions in yes TER as insecure
    28. 28. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin no patch author or SecTeam SecTeam marks SecTeam is okay releases new version old versions in releases yes TER as insecure bulletin
    29. 29. We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system
    30. 30. We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system SecTeam or CoreTeam creates patch
    31. 31. We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system post patch to SecTeam or core-security CoreTeam creates patch
    32. 32. We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system post patch to SecTeam or Reviews CoreTeam core-security creates patch
    33. 33. We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system post patch to SecTeam or Reviews CoreTeam core-security creates patch -1
    34. 34. We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system +1 by Core Team post patch to SecTeam or Reviews CoreTeam core-security creates patch +1 by Sec Team -1 release manager collects patches
    35. 35. We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system +1 by Core Team post patch to SecTeam or Reviews CoreTeam core-security creates patch +1 by Sec Team -1 release manager release manager collects patches releases security release
    36. 36. We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system +1 by Core Team post patch to SecTeam or Reviews CoreTeam core-security creates patch +1 by Sec Team -1 release manager release manager SecTeam collects patches releases security releases release bulletin
    37. 37. We follow a resp onsible (limited) d isclosure policy
    38. 38. We offer extension reviews but they are very time- consuming
    39. 39. Support the Security Team via the TYPO3 Assocation
    40. 40. Questions?
    41. 41. Thank you.

    ×