Everything you need to know
about the TYPO3
Security Team




                    Oliver Klee, T3DD10
Making TYPO3
more secure since 2004
Andreas Förthner
                Helmut Hummel     V5 team leader
                V4 team leader                      Lars...
We handle reports,
   create patches
      and educate
It‘sthenot
about  money
There are   good
             vulnerability reports …
There are     good
               vulnerability reports …
Subject: SQL injection in tx_moo 5.2.9

Dear security team,
I th...
... and there are the   others.




http://typo3.org/teams/security/resources/
Slides: TYPO3 website hacked
... and there are the      others.
  Subject: My site got hacked!

  Hi,
  I think my TYPO3 site got hacked. There suddenl...
We coordinate extension
security fixes with the
extension authors
We coordinate extension
security fixes with the
extension authors

     report to
security@typo3.org
We coordinate extension
security fixes with the
extension authors

     report to         automatic post to
security@typo3....
We coordinate extension
security fixes with the
extension authors

     report to         automatic post to
security@typo3....
We coordinate extension
security fixes with the
extension authors                                            reply

       ...
We coordinate extension
security fixes with the
extension authors                                                  reply

 ...
We coordinate extension
security fixes with the
extension authors                                                  reply

 ...
We coordinate extension
security fixes with the
extension authors                                                  reply

 ...
We coordinate extension
security fixes with the
extension authors                                                  reply

 ...
We coordinate extension
security fixes with the
extension authors                                                  reply

 ...
We coordinate extension
security fixes with the
extension authors                                                        re...
We coordinate extension
security fixes with the
extension authors                                                          ...
We coordinate extension
security fixes with the
extension authors                                                          ...
We coordinate extension
security fixes with the
extension authors                                                          ...
We coordinate extension
security fixes with the
extension authors                                                          ...
We coordinate extension
security fixes with the
extension authors                                                          ...
We coordinate extension
security fixes with the
extension authors                                                          ...
We coordinate extension
security fixes with the
extension authors                                                          ...
We coordinate extension
security fixes with the
extension authors                                                          ...
We cooperate with the
Core Team in fixing issues                                          reply

                          ...
We cooperate with the
Core Team in fixing issues                                           reply

                         ...
We cooperate with the
Core Team in fixing issues                                           reply

                         ...
We cooperate with the
Core Team in fixing issues                                           reply

                         ...
We cooperate with the
Core Team in fixing issues                                           reply

                         ...
We cooperate with the
Core Team in fixing issues                                                 reply

                   ...
We cooperate with the
Core Team in fixing issues                                                 reply

                   ...
We cooperate with the
Core Team in fixing issues                                                 reply

                   ...
We follow a
resp  onsible
(limited)
 d isclosure
 policy
We offer

   extension
    reviews
      but they
      are very

           time-
      consuming
Support the Security Team
     via the
TYPO3 Assocation
Questions?
Thank you.
Upcoming SlideShare
Loading in...5
×

Everything you need to know about the TYPO3 Security Team (T3DD10)

1,660

Published on

Published in: Technology, News & Politics
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,660
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide
  • - who has been contact
    - who has subscribed to typo3-announce
    - who has reported a vulnerability









  • - handle extension and core vulnerability reports
    - answer security-related questions, educate people
    - do paid extension reviews
    - create and review Core security fixes
  • - contribute to make TYPO3 & the web more secure
    - we learn a lot
    - it‘s fun (team)
    - mostly unpaid, some projects/tasks have a budged: 4.3.0 patches, Incident Handling System


  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps
  • - Incident Handling System will automate some steps







  • - != full disclosure
    - least necessary information, responsible disclure
    - no PoC, keine Infos ohne Fix
  • - time-consuming
    - only on demaid, and paid (contact us, price)
    - only for one version
    - concept or „reviewed extensions“ in the TER is dead, still helpful
  • - become an association member
    - donate to the association
    - create great reports


  • Transcript of "Everything you need to know about the TYPO3 Security Team (T3DD10)"

    1. 1. Everything you need to know about the TYPO3 Security Team Oliver Klee, T3DD10
    2. 2. Making TYPO3 more secure since 2004
    3. 3. Andreas Förthner Helmut Hummel V5 team leader V4 team leader Lars E.D. Jensen Marcus Krause Making TYPO3 more secure since 2004 Rove Monteaux Georg Ringer Dmitry Dulepov Jochen Weiland Oliver Klee
    4. 4. We handle reports, create patches and educate
    5. 5. It‘sthenot about money
    6. 6. There are good vulnerability reports …
    7. 7. There are good vulnerability reports … Subject: SQL injection in tx_moo 5.2.9 Dear security team, I think I‘ve found an SQL injection vulnerability in the extension tx_moo version 5.2.9. In line 145 of the tx_moo_pi1 class, $pivars['uid'] is not escaped: $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery( '*', 'tx_moo_cows', 'uid = ' . $this->piVars['uid'] );
    8. 8. ... and there are the others. http://typo3.org/teams/security/resources/ Slides: TYPO3 website hacked
    9. 9. ... and there are the others. Subject: My site got hacked! Hi, I think my TYPO3 site got hacked. There suddenly is another user, and there's some strange JavaScript on all my pages. What can I do? http://typo3.org/teams/security/resources/ Slides: TYPO3 website hacked
    10. 10. We coordinate extension security fixes with the extension authors
    11. 11. We coordinate extension security fixes with the extension authors report to security@typo3.org
    12. 12. We coordinate extension security fixes with the extension authors report to automatic post to security@typo3.org security newsgroup & trouble ticket system
    13. 13. We coordinate extension security fixes with the extension authors report to automatic post to security@typo3.org security newsgroup & issue is real trouble ticket system
    14. 14. We coordinate extension security fixes with the extension authors reply no report to automatic post to security@typo3.org security newsgroup & issue is real trouble ticket system
    15. 15. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system
    16. 16. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system e-mail to extension author
    17. 17. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system author e-mail to replies extension author
    18. 18. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system author e-mail to replies extension author no remove extension from TER
    19. 19. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system author e-mail to replies extension author no remove SecTeam extension releases from TER bulletin
    20. 20. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system extension is yes author e-mail to still maintained replies extension author no remove SecTeam extension releases from TER bulletin
    21. 21. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author no remove SecTeam extension releases from TER bulletin
    22. 22. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no author SecTeam creates patch remove extension releases from TER bulletin
    23. 23. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin
    24. 24. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin patch is okay
    25. 25. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin no patch is okay
    26. 26. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin no patch author or SecTeam is okay releases new version yes
    27. 27. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin no patch author or SecTeam SecTeam marks is okay releases new version old versions in yes TER as insecure
    28. 28. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin no patch author or SecTeam SecTeam marks SecTeam is okay releases new version old versions in releases yes TER as insecure bulletin
    29. 29. We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system
    30. 30. We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system SecTeam or CoreTeam creates patch
    31. 31. We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system post patch to SecTeam or core-security CoreTeam creates patch
    32. 32. We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system post patch to SecTeam or Reviews CoreTeam core-security creates patch
    33. 33. We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system post patch to SecTeam or Reviews CoreTeam core-security creates patch -1
    34. 34. We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system +1 by Core Team post patch to SecTeam or Reviews CoreTeam core-security creates patch +1 by Sec Team -1 release manager collects patches
    35. 35. We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system +1 by Core Team post patch to SecTeam or Reviews CoreTeam core-security creates patch +1 by Sec Team -1 release manager release manager collects patches releases security release
    36. 36. We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system +1 by Core Team post patch to SecTeam or Reviews CoreTeam core-security creates patch +1 by Sec Team -1 release manager release manager SecTeam collects patches releases security releases release bulletin
    37. 37. We follow a resp onsible (limited) d isclosure policy
    38. 38. We offer extension reviews but they are very time- consuming
    39. 39. Support the Security Team via the TYPO3 Assocation
    40. 40. Questions?
    41. 41. Thank you.

    ×