Skip to main navigation Skip to main content Skip to page footer
Newsletter Sign-Up Follow Us

Insecure Unserialize Vulnerability in FLOW3

It has been discovered that FLOW3 is vulnerable to Insecure Unserialize

Component Type: FLOW3

Affected Versions: 1.0, master

Release Date: March 28, 2012

Vulnerability Type: Insecure unserialize

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C (What's that?)

Problem Description: Due to a missing signature (HMAC) for a request argument, an attacker could unserialize arbitrary objects within FLOW3.
To our knowledge it is neither possible to inject code through this vulnerability, nor are there exploitable objects within the FLOW3 Base Distribution. However, there might be exploitable objects within user applications. 

Solution: Update to FLOW3 1.0.4 which fixes the problem described!

Note: The same problem applies to the Extbase Framework in TYPO3. Read the according advisory TYPO3-CORE-SA-2012-001 for more information.

Credits: Credits go to Security Team Member Helmut Hummel who discovered and reported the issue.

 General Advice: Please subscribe to the FLOW3-announce mailing list.