Everything you need to know about the TYPO3 Security Team (T3DD10)

Everything you need to know about the TYPO3 Security Team Oliver Klee, T3DD10

Making TYPO3 more secure since 2004

Andreas Förthner Helmut Hummel V5 team leader V4 team leader Lars E.D. Jensen Marcus Krause Making TYPO3 more secure since 2004 Rove Monteaux Georg Ringer Dmitry Dulepov Jochen Weiland Oliver Klee

We handle reports, create patches and educate

It‘sthenot about money

There are good vulnerability reports …

There are good vulnerability reports … Subject: SQL injection in tx_moo 5.2.9 Dear security team, I think I‘ve found an SQL injection vulnerability in the extension tx_moo version 5.2.9. In line 145 of the tx_moo_pi1 class, $pivars['uid'] is not escaped: $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery( '*', 'tx_moo_cows', 'uid = ' . $this->piVars['uid'] );

... and there are the others. http://typo3.org/teams/security/resources/ Slides: TYPO3 website hacked

... and there are the others. Subject: My site got hacked! Hi, I think my TYPO3 site got hacked. There suddenly is another user, and there's some strange JavaScript on all my pages. What can I do? http://typo3.org/teams/security/resources/ Slides: TYPO3 website hacked

We coordinate extension security ﬁxes with the extension authors

We coordinate extension security ﬁxes with the extension authors report to security@typo3.org

We coordinate extension security ﬁxes with the extension authors report to automatic post to security@typo3.org security newsgroup & trouble ticket system

We coordinate extension security ﬁxes with the extension authors report to automatic post to security@typo3.org security newsgroup & issue is real trouble ticket system

We coordinate extension security ﬁxes with the extension authors reply no report to automatic post to security@typo3.org security newsgroup & issue is real trouble ticket system

We coordinate extension security ﬁxes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system

We coordinate extension security ﬁxes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system e-mail to extension author

We coordinate extension security ﬁxes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system author e-mail to replies extension author

We coordinate extension security ﬁxes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system author e-mail to replies extension author no remove extension from TER

We coordinate extension security ﬁxes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system author e-mail to replies extension author no remove SecTeam extension releases from TER bulletin

We coordinate extension security ﬁxes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system extension is yes author e-mail to still maintained replies extension author no remove SecTeam extension releases from TER bulletin

We coordinate extension security ﬁxes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author no remove SecTeam extension releases from TER bulletin

We coordinate extension security ﬁxes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no author SecTeam creates patch remove extension releases from TER bulletin

We coordinate extension security ﬁxes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin

We coordinate extension security ﬁxes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin patch is okay

We coordinate extension security ﬁxes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin no patch is okay

We coordinate extension security ﬁxes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin no patch author or SecTeam is okay releases new version yes

We coordinate extension security ﬁxes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin no patch author or SecTeam SecTeam marks is okay releases new version old versions in yes TER as insecure

We coordinate extension security ﬁxes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin no patch author or SecTeam SecTeam marks SecTeam is okay releases new version old versions in releases yes TER as insecure bulletin

We cooperate with the Core Team in ﬁxing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system

We cooperate with the Core Team in ﬁxing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system SecTeam or CoreTeam creates patch

We cooperate with the Core Team in ﬁxing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system post patch to SecTeam or core-security CoreTeam creates patch

We cooperate with the Core Team in ﬁxing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system post patch to SecTeam or Reviews CoreTeam core-security creates patch

We cooperate with the Core Team in ﬁxing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system post patch to SecTeam or Reviews CoreTeam core-security creates patch -1

We cooperate with the Core Team in ﬁxing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system +1 by Core Team post patch to SecTeam or Reviews CoreTeam core-security creates patch +1 by Sec Team -1 release manager collects patches

We cooperate with the Core Team in ﬁxing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system +1 by Core Team post patch to SecTeam or Reviews CoreTeam core-security creates patch +1 by Sec Team -1 release manager release manager collects patches releases security release

We cooperate with the Core Team in ﬁxing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system +1 by Core Team post patch to SecTeam or Reviews CoreTeam core-security creates patch +1 by Sec Team -1 release manager release manager SecTeam collects patches releases security releases release bulletin

We follow a resp onsible (limited) d isclosure policy

We offer extension reviews but they are very time- consuming

Support the Security Team via the TYPO3 Assocation

Questions?

Thank you.

Everything you need to know about the TYPO3 Security Team (T3DD10)

by oliverklee on Jul 03, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

Statistics

Everything you need to know about the TYPO3 Security Team (T3DD10) — Presentation Transcript