TYPO3 Questionnaire Extension Vulnerability (CVE-2014-8874)

TYPO3 Questionnaire Extension Vulnerability (CVE-2014-8874)

Release date: 2014-12-01
Updated on: 2014-3 3

Affected Systems:
TYPO3 Questionnaire 2.5.2
Description:
Bugtraq id: 71390
CVE (CAN) ID: CVE-2014-8874

TYPO3 Questionnaire is a survey of the expansion of website traffic.

TYPO3 Questionnaire's installation directory "typo3temp" contains a Questionnaire that has been filled in based on the Questionnaire ID and user ID. Attackers can exploit this vulnerability to obtain sensitive information.

<* Source: RedTeam Pentesting GmbH (http://www.redteam-pentesting.de /)

Link: http://www.securityfocus.com/archive/1/534126
*>

Test method:

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Using the tool wfuzz [1] it is possible to search for answers
Questionnaires on a TYPO3 site that employs ke_questionnaire:

------------------------------------------------------------------------

$ Python wfuzz. py-c-z range, 14000-15000-z range, 1-10 -- hc 301 http://example.com/typo3temp/tx_kequestionnaire_temp_FUZZ_FUZ2Z
------------------------------------------------------------------------

Suggestion:
Vendor patch:

TYPO3
-----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://typo3.org/extensions/repository/view/ke_questionnaire

This article permanently updates the link address: