Vulnerability Name:

CVE-2006-6690 (CCN-31061)

Assigned:2006-12-20
Published:2006-12-20
Updated:2018-10-17
Summary:rtehtmlarea/pi1/class.tx_rtehtmlarea_pi1.php in Typo3 4.0.0 through 4.0.3, 3.7 and 3.8 with the rtehtmlarea extension, and 4.1 beta allows remote authenticated users to execute arbitrary commands via shell metacharacters in the userUid parameter to rtehtmlarea/htmlarea/plugins/SpellChecker/spell-check-logic.php, and possibly another vector.
his vulnerability is addressed in the following product release:
Typo3, Typo3, 4.0.4
CVSS v3 Severity:4.8 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
6.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N)
3.5 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-Other
Vulnerability Consequences:Gain Access
References:Source: CCN
Type: Full-Disclosure Mailing List, Wed Dec 20 2006 - 07:04:15 CST
SEC Consult SA-20061220-0 :: Typo3 Command Execution Vulnerability

Source: MITRE
Type: CNA
CVE-2006-6690

Source: MLIST
Type: Vendor Advisory
[TYPO3-announce] 20061219 Pre-announcement for important security update

Source: MLIST
Type: Vendor Advisory
[TYPO3-announce] 20061220 TYPO3 Security Bulletin TYPO3-20061220-1: Remote Command Execution in TYPO3

Source: CCN
Type: SA23446
TYPO3 "userUid" Command Execution Vulnerability

Source: SECUNIA
Type: Patch, Vendor Advisory
23446

Source: CCN
Type: SA23466
TYPO3 rtehtmlarea Extension "userUid" Command Execution

Source: SECUNIA
Type: Patch, Vendor Advisory
23466

Source: SREASON
Type: UNKNOWN
2056

Source: CCN
Type: SECTRACK ID: 1017428
TYPO3 Input Validation Holes in `rtehtmlarea` Sysext Let Remote Users Execute Arbitrary Code

Source: SECTRACK
Type: Exploit, Patch
1017428

Source: CONFIRM
Type: UNKNOWN
http://typo3.org/news-single-view/?tx_newsimporter_pi1%5BshowItem%5D=0&cHash=e4a40a11a9

Source: CCN
Type: OSVDB ID: 30890
TYPO3 (class.tx_rtehtmlarea_pi1.php) spell-check-logic.php userUid Arbitrary Command Execution

Source: MISC
Type: Exploit
http://www.sec-consult.com/272.html

Source: BUGTRAQ
Type: UNKNOWN
20061220 SEC Consult SA-20061220-0 :: Typo3 Command Execution Vulnerability

Source: BID
Type: Exploit, Patch
21680

Source: CCN
Type: BID-21680
Typo3 Class.TX_RTEHTMLArea_PI1.PHP Multiple Remote Command Execution Vulnerabilities

Source: VUPEN
Type: UNKNOWN
ADV-2006-5094

Source: XF
Type: UNKNOWN
typo3-useruid-command-execution(31061)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:typo3:typo3:3.7.0:*:*:*:*:*:*:*
  • OR cpe:/a:typo3:typo3:3.8:*:*:*:*:*:*:*
  • OR cpe:/a:typo3:typo3:4.0:*:*:*:*:*:*:*
  • OR cpe:/a:typo3:typo3:4.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:typo3:typo3:4.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:typo3:typo3:4.0.3:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    typo3 typo3 3.7.0
    typo3 typo3 3.8
    typo3 typo3 4.0
    typo3 typo3 4.0.1
    typo3 typo3 4.0.2
    typo3 typo3 4.0.3