• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Everything you need to know about the TYPO3 Security Team (T3DD10)
 

Everything you need to know about the TYPO3 Security Team (T3DD10)

on

  • 1,821 views

 

Statistics

Views

Total Views
1,821
Views on SlideShare
1,821
Embed Views
0

Actions

Likes
4
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • - who has been contact <br /> - who has subscribed to typo3-announce <br /> - who has reported a vulnerability <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • - handle extension and core vulnerability reports <br /> - answer security-related questions, educate people <br /> - do paid extension reviews <br /> - create and review Core security fixes <br />
  • - contribute to make TYPO3 & the web more secure <br /> - we learn a lot <br /> - it&#x2018;s fun (team) <br /> - mostly unpaid, some projects/tasks have a budged: 4.3.0 patches, Incident Handling System <br />
  • <br />
  • <br />
  • - Incident Handling System will automate some steps <br />
  • - Incident Handling System will automate some steps <br />
  • - Incident Handling System will automate some steps <br />
  • - Incident Handling System will automate some steps <br />
  • - Incident Handling System will automate some steps <br />
  • - Incident Handling System will automate some steps <br />
  • - Incident Handling System will automate some steps <br />
  • - Incident Handling System will automate some steps <br />
  • - Incident Handling System will automate some steps <br />
  • - Incident Handling System will automate some steps <br />
  • - Incident Handling System will automate some steps <br />
  • - Incident Handling System will automate some steps <br />
  • - Incident Handling System will automate some steps <br />
  • - Incident Handling System will automate some steps <br />
  • - Incident Handling System will automate some steps <br />
  • - Incident Handling System will automate some steps <br />
  • - Incident Handling System will automate some steps <br />
  • - Incident Handling System will automate some steps <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • - != full disclosure <br /> - least necessary information, responsible disclure <br /> - no PoC, keine Infos ohne Fix <br />
  • - time-consuming <br /> - only on demaid, and paid (contact us, price) <br /> - only for one version <br /> - concept or &#x201E;reviewed extensions&#x201C; in the TER is dead, still helpful <br />
  • - become an association member <br /> - donate to the association <br /> - create great reports <br />
  • <br />
  • <br />

Everything you need to know about the TYPO3 Security Team (T3DD10) Everything you need to know about the TYPO3 Security Team (T3DD10) Presentation Transcript

  • Everything you need to know about the TYPO3 Security Team Oliver Klee, T3DD10
  • Making TYPO3 more secure since 2004
  • Andreas Förthner Helmut Hummel V5 team leader V4 team leader Lars E.D. Jensen Marcus Krause Making TYPO3 more secure since 2004 Rove Monteaux Georg Ringer Dmitry Dulepov Jochen Weiland Oliver Klee
  • We handle reports, create patches and educate
  • It‘sthenot about money
  • There are good vulnerability reports …
  • There are good vulnerability reports … Subject: SQL injection in tx_moo 5.2.9 Dear security team, I think I‘ve found an SQL injection vulnerability in the extension tx_moo version 5.2.9. In line 145 of the tx_moo_pi1 class, $pivars['uid'] is not escaped: $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery( '*', 'tx_moo_cows', 'uid = ' . $this->piVars['uid'] );
  • ... and there are the others. http://typo3.org/teams/security/resources/ Slides: TYPO3 website hacked
  • ... and there are the others. Subject: My site got hacked! Hi, I think my TYPO3 site got hacked. There suddenly is another user, and there's some strange JavaScript on all my pages. What can I do? http://typo3.org/teams/security/resources/ Slides: TYPO3 website hacked
  • We coordinate extension security fixes with the extension authors
  • We coordinate extension security fixes with the extension authors report to security@typo3.org
  • We coordinate extension security fixes with the extension authors report to automatic post to security@typo3.org security newsgroup & trouble ticket system
  • We coordinate extension security fixes with the extension authors report to automatic post to security@typo3.org security newsgroup & issue is real trouble ticket system
  • We coordinate extension security fixes with the extension authors reply no report to automatic post to security@typo3.org security newsgroup & issue is real trouble ticket system
  • We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system
  • We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system e-mail to extension author
  • We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system author e-mail to replies extension author
  • We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system author e-mail to replies extension author no remove extension from TER
  • We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system author e-mail to replies extension author no remove SecTeam extension releases from TER bulletin
  • We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system extension is yes author e-mail to still maintained replies extension author no remove SecTeam extension releases from TER bulletin
  • We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author no remove SecTeam extension releases from TER bulletin
  • We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no author SecTeam creates patch remove extension releases from TER bulletin
  • We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin
  • We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin patch is okay
  • We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin no patch is okay
  • We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin no patch author or SecTeam is okay releases new version yes
  • We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin no patch author or SecTeam SecTeam marks is okay releases new version old versions in yes TER as insecure
  • We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin no patch author or SecTeam SecTeam marks SecTeam is okay releases new version old versions in releases yes TER as insecure bulletin
  • We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system
  • We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system SecTeam or CoreTeam creates patch
  • We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system post patch to SecTeam or core-security CoreTeam creates patch
  • We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system post patch to SecTeam or Reviews CoreTeam core-security creates patch
  • We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system post patch to SecTeam or Reviews CoreTeam core-security creates patch -1
  • We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system +1 by Core Team post patch to SecTeam or Reviews CoreTeam core-security creates patch +1 by Sec Team -1 release manager collects patches
  • We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system +1 by Core Team post patch to SecTeam or Reviews CoreTeam core-security creates patch +1 by Sec Team -1 release manager release manager collects patches releases security release
  • We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system +1 by Core Team post patch to SecTeam or Reviews CoreTeam core-security creates patch +1 by Sec Team -1 release manager release manager SecTeam collects patches releases security releases release bulletin
  • We follow a resp onsible (limited) d isclosure policy
  • We offer extension reviews but they are very time- consuming
  • Support the Security Team via the TYPO3 Assocation
  • Questions?
  • Thank you.