Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Everything you need to know about the TYPO3 Security Team (T3DD10)

2,194 views

Published on

Published in: Technology, News & Politics
  • Be the first to comment

Everything you need to know about the TYPO3 Security Team (T3DD10)

  1. 1. Everything you need to know about the TYPO3 Security Team Oliver Klee, T3DD10
  2. 2. Making TYPO3 more secure since 2004
  3. 3. Andreas Förthner Helmut Hummel V5 team leader V4 team leader Lars E.D. Jensen Marcus Krause Making TYPO3 more secure since 2004 Rove Monteaux Georg Ringer Dmitry Dulepov Jochen Weiland Oliver Klee
  4. 4. We handle reports, create patches and educate
  5. 5. It‘sthenot about money
  6. 6. There are good vulnerability reports …
  7. 7. There are good vulnerability reports … Subject: SQL injection in tx_moo 5.2.9 Dear security team, I think I‘ve found an SQL injection vulnerability in the extension tx_moo version 5.2.9. In line 145 of the tx_moo_pi1 class, $pivars['uid'] is not escaped: $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery( '*', 'tx_moo_cows', 'uid = ' . $this->piVars['uid'] );
  8. 8. ... and there are the others. http://typo3.org/teams/security/resources/ Slides: TYPO3 website hacked
  9. 9. ... and there are the others. Subject: My site got hacked! Hi, I think my TYPO3 site got hacked. There suddenly is another user, and there's some strange JavaScript on all my pages. What can I do? http://typo3.org/teams/security/resources/ Slides: TYPO3 website hacked
  10. 10. We coordinate extension security fixes with the extension authors
  11. 11. We coordinate extension security fixes with the extension authors report to security@typo3.org
  12. 12. We coordinate extension security fixes with the extension authors report to automatic post to security@typo3.org security newsgroup & trouble ticket system
  13. 13. We coordinate extension security fixes with the extension authors report to automatic post to security@typo3.org security newsgroup & issue is real trouble ticket system
  14. 14. We coordinate extension security fixes with the extension authors reply no report to automatic post to security@typo3.org security newsgroup & issue is real trouble ticket system
  15. 15. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system
  16. 16. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system e-mail to extension author
  17. 17. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system author e-mail to replies extension author
  18. 18. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system author e-mail to replies extension author no remove extension from TER
  19. 19. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system author e-mail to replies extension author no remove SecTeam extension releases from TER bulletin
  20. 20. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system extension is yes author e-mail to still maintained replies extension author no remove SecTeam extension releases from TER bulletin
  21. 21. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author no remove SecTeam extension releases from TER bulletin
  22. 22. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no author SecTeam creates patch remove extension releases from TER bulletin
  23. 23. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin
  24. 24. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin patch is okay
  25. 25. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin no patch is okay
  26. 26. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin no patch author or SecTeam is okay releases new version yes
  27. 27. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin no patch author or SecTeam SecTeam marks is okay releases new version old versions in yes TER as insecure
  28. 28. We coordinate extension security fixes with the extension authors reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system remove extension, no extension is yes author e-mail to bulletin still maintained replies extension author yes no SecTeam author SecTeam reviews patch creates patch remove extension releases from TER bulletin no patch author or SecTeam SecTeam marks SecTeam is okay releases new version old versions in releases yes TER as insecure bulletin
  29. 29. We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system
  30. 30. We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system SecTeam or CoreTeam creates patch
  31. 31. We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system post patch to SecTeam or core-security CoreTeam creates patch
  32. 32. We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system post patch to SecTeam or Reviews CoreTeam core-security creates patch
  33. 33. We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system post patch to SecTeam or Reviews CoreTeam core-security creates patch -1
  34. 34. We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system +1 by Core Team post patch to SecTeam or Reviews CoreTeam core-security creates patch +1 by Sec Team -1 release manager collects patches
  35. 35. We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system +1 by Core Team post patch to SecTeam or Reviews CoreTeam core-security creates patch +1 by Sec Team -1 release manager release manager collects patches releases security release
  36. 36. We cooperate with the Core Team in fixing issues reply no report to automatic post to yes security@typo3.org security newsgroup & issue is real reply trouble ticket system +1 by Core Team post patch to SecTeam or Reviews CoreTeam core-security creates patch +1 by Sec Team -1 release manager release manager SecTeam collects patches releases security releases release bulletin
  37. 37. We follow a resp onsible (limited) d isclosure policy
  38. 38. We offer extension reviews but they are very time- consuming
  39. 39. Support the Security Team via the TYPO3 Assocation
  40. 40. Questions?
  41. 41. Thank you.

×