Go to: typo3.com Home TYPO3 Association Home typo3.org Home Certification FLOW3 Bugtracker Forge (Development Platform) News Buzz (TYPO3 Blogs) Wiki Mailing lists TYPO3 Snippets

Search:

 

Component Type: Core

Affected Components: Install Tool "encryptionKey" Generation

Versions: TYPO3 3.8.0 and earlier

Vulnerability Type: Key Length

Severity: Low

 

Problem Description:
For convenience, the TYPO3 Install Tool provides a button sets the "encryptionKey" to a random value. It has been observed that only parts of the generated value are actually random. The overall key is therefore unique and -as of today- considered sufficiently secure. However, the effective key length is not the intended one.

 

Solution:

The solution is part of the general maintenance upgrade to TYPO3 version 3.8.1, which all users of TYPO3 are advised to implement. It contains a fix for the affected routine.

 

Credits:
Thanks to Jochen Weiland for notifying us.