TYPO3-CORE-SA-2012-005: Several Vulnerabilities in TYPO3 Core

Categories: TYPO3 CMS Created by Helmut Hummel
It has been discovered that TYPO3 Core is vulnerable to SQL Injection, Information Disclosure and Cross-Site Scripting

Component Type: TYPO3 Core

Affected Versions: 4.5.0 up to 4.5.20, 4.6.0 up to 4.6.13, 4.7.0 up to 4.7.5 and development releases of the 6.0 branch.

Vulnerability Types: SQL Injection, Cross-Site Scripting, Information Disclosure

Overall Severity: Medium

Release Date: November 8, 2012

Vulnerable subcomponent: TYPO3 Backend History Module

Vulnerability Type: SQL Injection, Cross-Site Scripting

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:C/I:C/A:N/E:F/RL:O/RC:C (What's that?)

CVEs: CVE-2012-6144, CVE-2012-6145

Problem Description: Due to missing encoding of user input, the history module is susceptible to SQL Injection and Cross-Site Scripting. A valid backend login is required to exploit this vulnerability.

Solution: Update to the TYPO3 version 4.5.21, 4.6.14 or 4.7.6 that fix the problem described!

Credits: Credits go to Thomas Worm who discovered and reported the issue.

Vulnerable subcomponent: TYPO3 Backend History Module

Vulnerability Type: Information Disclosure

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:O/RC:C (What's that?)

CVE: CVE-2012-6146

Problem Description: Due to a missing access check, regular editors could see the history view of arbitrary records, only by forging a proper URL for the History Module. A valid backend login is required to exploit this vulnerability.

Solution: Update to the TYPO3 version 4.5.21, 4.6.14 or 4.7.6 that fix the problem described!

Credits: Credits go to Core Team Member Oliver Hader who discovered and fixed the issue.

Vulnerable subcomponent: TYPO3 Backend API

Vulnerability Type: Cross-Site Scripting

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C (What's that?)

CVEs: CVE-2012-6147, CVE-2012-6148

Problem Description: Failing to properly HTML-encode user input the tree render API (TCA-Tree) is susceptible to Cross-Site Scripting. TYPO3 Versions below 6.0 does not make us of this API, thus is not exploitable, if no third party extension is installed which uses this API. A valid backend login is required to exploit this vulnerability.

Solution: Update to the TYPO3 version 4.5.21, 4.6.14 or 4.7.6 that fix the problem described!

Credits: Credits go to Johannes Feustel who discovered and reported the issue.

Vulnerable subcomponent: TYPO3 Backend API

Vulnerability Type: Cross-Site Scripting

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:N/I:P/A:N/E:P/RL:O/RC:C (What's that?)

Problem Description: Failing to properly encode user input, the function menu API is susceptible to Cross-Site Scripting. A valid backend login is required to exploit this vulnerability.

Solution: Update to the TYPO3 version 4.5.21, 4.6.14 or 4.7.6 that fix the problem described!

Credits: Credits go to Richard Brain who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.