News-Feeds:
October 8, 2012
Security information for typo3.org users
Category: Server Admin Team
The following article contains an important information about security precautions that were taken after a bug was discovered on typo3.org. The same text was already sent by mail to all users who are affected by the issue.
Dear typo3.org user,
the following mail is sent to you as a pure security precaution.
Still we would like you to read it very carefully.
We have noticed a problem in the TYPO3.org server infrastructure
which resulted in passwords being stored in the log files in
clear-text form.
Immediately after the problem was noticed and fixed, additional
steps were taken to reset the passwords of all affected users
and to delete all log files.
Who is affected?
Only users who have tried to log into the Gerrit Review system
on review.typo3.org at least once.
Your username was found in the log files, therefore you are
receiving this mail.
Who could access the log files containing these passwords?
Only typo3.org administrators have been able to access these
log files. There is no indication that any other people have
been involved or that any passwords were stolen!
What do you need to do?
Please go to typo3.org and reset your password. You can use
the "Forgot password" functionality (below the login drop-down)
to request a new password.
Background information:
typo3.org stores all passwords as hashes, thus in a secure
manner. All passwords are transferred with SSL encryption and
only between the typo3.org and the Gerrit review server.
However, every time when a user tried to log into the Gerrit
Review system on review.typo3.org, the username and
the clear-text password have been written into the log file on
typo3.org where any administrator (see below) could have access
the data.
Please note: Nobody except members of the typo3.org server team
plus administrators of the typo3.org web site were able to
access to this log file - so your password was *not* stolen by
any hacker (to the best of our knowledge - we have no indication
for any unauthorized access).
In summary, 15 people had access to these log files. As we have
allowed these people to access the typo3.org server, we consider
all of these people as trusted.
As a security measure, and because we found a login attempt
with your user account, we decided to inform you about this
finding and to reset your password.
We hope you understand that we care about the safety of your
data.
If you have any questions, please contact us through
admin(at)typo3.org.
Your TYPO3 Server Admin Team
comments
comment #1
Jonas Felix
October 9, 2012
12:37
So it's not a TYPO3 Security issue but some very specific issue with the typo3.org setup. I think that's an important note.
October 17, 2012
16:07
But that was only a problem by your side itself and not with the Typo3 System in general?
Thanks so far.
Thanks so far.
October 25, 2012
08:03
Hi Knoellweb,
sorry for the late answer. Yes, of course, this was only a problem with the official project infrastructure, no problem in the TYPO3 CMS itself.
Yours
Steffen
sorry for the late answer. Yes, of course, this was only a problem with the official project infrastructure, no problem in the TYPO3 CMS itself.
Yours
Steffen
Sorry, comments are closed for this post.
Buzz is the official blog resource of the TYPO3 project. You can be part of Buzz too. If you want to blog about the achievements of your team or your personal involvement please check out our HELP section.