TYPO3-CORE-SA-2012-003: Cross-Site Scripting Vulnerability in TYPO3 Core

It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting.

Component Type: TYPO3 Core

Affected Versions: 4.5.0 up to 4.5.16, 4.6.0 up to 4.6.9, 4.7.0 up to 4.7.1 and development releases of the 6.0 branch.

Bulletin history: July 4, 2012 - corrected Secunia Advisory ID

Vulnerable subcomponent: Flash File Uploader

Vulnerability Type: Cross-Site Scripting

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C (What's that?)

CVE: n/a

Problem Description: TYPO3 bundles and uses an external JavaScript & Flash Upload Library called swfupload. TYPO3 can be configured to use this Flash uploader. Input passed via the "movieName" parameter to swfupload.swf is not properly sanitised before being used in a call to "ExternalInterface.call()". This can be exploited to execute arbitrary script code in a user's browser session in context of an affected site. The existance of the swfupload library is sufficient to be vulnerable to the reported problem.

Note: The vulnerability in the swfupload library is addressed by Secunia Advisory SA49651.

Solution: Update to the TYPO3 versions 4.5.17, 4.6.10 or 4.7.2 that fix the problem described!

Credits: Credits go to Nathan Partlan and Neal Poole who discovered the original movieName XSS vulnerability in the swfupload library.

 

 

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.