Fixed bug #10154: Weak encryption key generation vulnerability in sysext install...
authorIngo Renner <ingo.renner@typo3.org>
Tue, 20 Jan 2009 11:27:02 +0000 (11:27 +0000)
committerIngo Renner <ingo.renner@typo3.org>
Tue, 20 Jan 2009 11:27:02 +0000 (11:27 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@4785 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
typo3/sysext/install/ChangeLog
typo3/sysext/install/ext_emconf.php
typo3/sysext/install/ext_localconf.php
typo3/sysext/install/mod/class.tx_install.php

index cf7ed4e..ed32bcd 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -8,6 +8,7 @@
        * Added missing license statement for using the "Silk" icon set of Mark James according to Creative Commons Attribution 2.5
        * Fixed bug #10134: XSS vulnerability in sysext indexed_search (thanks to the TYPO3 Security Team and especially Marcus Krause)
        * Fixed bug #10133: Command execution in sysext indexed_search (thanks to the TYPO3 Security Team and especially Marcus Krause)
+       * Fixed bug #10154: Weak encryption key generation vulnerability in sysext install (thanks to the TYPO3 Security Team, and especially Marcus Krause)
 
 2009-01-19  Steffen Kamper  <info@sk-typo3.de>
 
index f49a6f6..10adc5a 100644 (file)
@@ -1,3 +1,7 @@
+2009-01-20  Ingo Renner  <ingo@typo3.org>
+
+       * Fixed bug #10154: Weak encryption key generation vulnerability in sysext install (thanks to the TYPO3 Security Team, and especially Marcus Krause)
+
 2005-04-11  Ingmar Schlecht  <ingmar@typo3.org>
 
        * Now database host names can contain colons ":" so you can also specify ports like "localhost:3306"
index e99865f..417d1f0 100755 (executable)
@@ -32,7 +32,7 @@ $EM_CONF[$_EXTKEY] = array(
        'author_company' => 'CURBY SOFT Multimedie',
        'CGLcompliance' => '',
        'CGLcompliance_note' => '',
-       'version' => '0.1.0',
+       'version' => '0.1.1',
        '_md5_values_when_last_written' => 'a:55:{s:9:"ChangeLog";s:4:"7678";s:12:"ext_icon.gif";s:4:"fbaa";s:17:"ext_localconf.php";s:4:"3a8f";s:14:"ext_tables.php";s:4:"18d4";s:34:"verify_imgs/install_44f1273ab1.jpg";s:4:"1bb3";s:34:"verify_imgs/install_48784f637a.gif";s:4:"7a81";s:34:"verify_imgs/install_48784f637a.png";s:4:"0008";s:34:"verify_imgs/install_a8f7a333c8.gif";s:4:"2997";s:34:"verify_imgs/install_a8f7a333c8.png";s:4:"de3c";s:34:"verify_imgs/install_d1fa76faad.gif";s:4:"339f";s:34:"verify_imgs/install_d1fa76faad.png";s:4:"4b7e";s:34:"verify_imgs/install_f6b0cedc4d.gif";s:4:"c091";s:34:"verify_imgs/install_f6b0cedc4d.png";s:4:"f787";s:34:"verify_imgs/install_fcaf26c521.jpg";s:4:"32eb";s:34:"verify_imgs/install_fe1e67e805.gif";s:4:"8ff7";s:34:"verify_imgs/install_fe1e67e805.png";s:4:"2e7c";s:31:"verify_imgs/install_read_ai.jpg";s:4:"9878";s:32:"verify_imgs/install_read_bmp.jpg";s:4:"abc1";s:32:"verify_imgs/install_read_gif.jpg";s:4:"939b";s:32:"verify_imgs/install_read_jpg.jpg";s:4:"b66f";s:32:"verify_imgs/install_read_pcx.jpg";s:4:"1f03";s:32:"verify_imgs/install_read_pdf.jpg";s:4:"9d98";s:32:"verify_imgs/install_read_png.jpg";s:4:"939b";s:32:"verify_imgs/install_read_tga.jpg";s:4:"1f03";s:32:"verify_imgs/install_read_tif.jpg";s:4:"c64c";s:33:"verify_imgs/install_scale_gif.gif";s:4:"4557";s:33:"verify_imgs/install_scale_jpg.jpg";s:4:"3d81";s:33:"verify_imgs/install_scale_png.png";s:4:"aadd";s:33:"verify_imgs/install_write_gif.gif";s:4:"4956";s:33:"verify_imgs/install_write_png.png";s:4:"d644";s:22:"verify_imgs/readme.txt";s:4:"35d9";s:24:"imgs/blackwhite_mask.gif";s:4:"495e";s:21:"imgs/combine_back.jpg";s:4:"7f33";s:21:"imgs/combine_mask.jpg";s:4:"b4f6";s:19:"imgs/copyrights.txt";s:4:"73db";s:18:"imgs/greenback.gif";s:4:"4bfe";s:14:"imgs/jesus.bmp";s:4:"4b17";s:14:"imgs/jesus.gif";s:4:"bf76";s:14:"imgs/jesus.jpg";s:4:"9778";s:14:"imgs/jesus.pcx";s:4:"02d8";s:14:"imgs/jesus.png";s:4:"6782";s:14:"imgs/jesus.tga";s:4:"320c";s:14:"imgs/jesus.tif";s:4:"c8f8";s:22:"imgs/jesus2_transp.gif";s:4:"5b11";s:22:"imgs/jesus2_transp.png";s:4:"bf18";s:29:"imgs/pdf_from_imagemagick.pdf";s:4:"dfbb";s:21:"imgs/typo3logotype.ai";s:4:"9631";s:24:"mod/class.tx_install.php";s:4:"dc6e";s:13:"mod/clear.gif";s:4:"cc11";s:12:"mod/conf.php";s:4:"9b8b";s:15:"mod/install.gif";s:4:"fbaa";s:21:"mod/locallang_mod.xml";s:4:"ff83";s:46:"updates/class.tx_coreupdates_compatversion.php";s:4:"cb8d";s:46:"updates/class.tx_coreupdates_mergeadvanced.php";s:4:"bc2f";s:42:"updates/class.tx_coreupdates_notinmenu.php";s:4:"ed14";}',
        'constraints' => array(
                'depends' => array(
index 5ba30e3..6317bcc 100644 (file)
@@ -17,4 +17,6 @@ $TYPO3_CONF_VARS['SC_OPTIONS']['ext/install']['update']['installSystemExtensions
        // change tt_content.imagecols=0 to 1 for proper display in TCEforms since TYPO3 4.3
 $TYPO3_CONF_VARS['SC_OPTIONS']['ext/install']['update']['changeImagecolsValue'] = 'tx_coreupdates_imagecols';
 
+       // register eID script for ecryption key AJAX call
+$TYPO3_CONF_VARS['FE']['eID_include']['tx_install_eid'] = 'EXT:install/mod/class.tx_install_eid.php';
 ?>
index dba4887..5fa613b 100755 (executable)
@@ -2088,8 +2088,9 @@ From sub-directory:
                                if ($this->mode!='123') {
                                        $out.=$this->wrapInCells('Site name:', '<input type="text" name="TYPO3_INSTALL[localconf.php][sitename]" value="'.htmlspecialchars($GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename']).'">');
                                        $out.=$this->wrapInCells('', '<br />');
-                                       $out.='<script type="text/javascript" src="../md5.js"></script><script type="text/javascript">function generateEncryptionKey(key) {time=new Date(); key=MD5(time.getMilliseconds().toString());while(key.length<66){key=key+MD5(key)};return key;}</script>';
-                                       $out.=$this->wrapInCells('Encryption key:', '<a name="set_encryptionKey"></a><input type="text" name="TYPO3_INSTALL[localconf.php][encryptionKey]" value="'.htmlspecialchars($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']).'"><br /><input type="button" onclick="document.forms[\'setupGeneral\'].elements[\'TYPO3_INSTALL[localconf.php][encryptionKey]\'].value=generateEncryptionKey(document.forms[\'setupGeneral\'].elements[\'TYPO3_INSTALL[localconf.php][encryptionKey]\'].value);" value="Generate random key">');
+                                       $out.='<script type="text/javascript" src="' . t3lib_div::getIndpEnv('TYPO3_SITE_URL') . TYPO3_mainDir . 'sysext/install/mod/install.js"></script>';
+                                       $out.='<script type="text/javascript" src="' . t3lib_div::getIndpEnv('TYPO3_SITE_URL') . TYPO3_mainDir . 'contrib/prototype/prototype.js"></script>';
+                                       $out.=$this->wrapInCells('Encryption key:', '<a name="set_encryptionKey"></a><input type="text" name="TYPO3_INSTALL[localconf.php][encryptionKey]" value="'.htmlspecialchars($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']).'"><br /><input type="button" onclick="EncryptionKey.load(this)" value="Generate random key">');
                                        $out.=$this->wrapInCells('', '<br />');
 
                                                // Other