Component Type: FLOW3
Affected Versions: 1.0, master
Release Date: March 28, 2012
Vulnerability Type: Insecure unserialize
Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C
CVE: not assigned
Problem Description: Due to a missing signature (HMAC) for a request argument, an attacker could unserialize arbitrary objects within FLOW3.
To our knowledge it is neither possible to inject code through this vulnerability, nor are there exploitable objects within the FLOW3 Base Distribution. However, there might be exploitable objects within user applications.
Solution: Update to FLOW3 1.0.4 which fixes the problem described!
Note: The same problem applies to the Extbase Framework in TYPO3. Read the according advisory TYPO3-CORE-SA-2012-001 for more information.
Credits: Credits go to TYPO3 Security Team Member Helmut Hummel who discovered and reported the issue.