TYPO3-SA-2010-022: Multiple vulnerabilities in TYPO3 Core

December 16, 2010

Category: TYPO3 CMS
Author: Helmut Hummel
Keywords: TYPO3, security, TYPO3-SA-2010-022, core

It has been discovered that TYPO3 Core is vulnerable to Arbitrary Code Execution, Path Traversal, Cross-Site Scripting (XSS), SQL injection and Information Disclosure.

Component Type: TYPO3 Core

Affected Versions: 4.2.15 and below, 4.3.8 and below, 4.4.4 and below

Vulnerability Types: Arbitrary Code Execution, Path Traversal, Cross-Site Scripting (XSS), SQL injection, Information Disclosure

Overall Severity: High

Release Date: December 16, 2010

Vulnerable subcomponent #1: Frontend

Vulnerability Type: Cross-Site Scripting

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C (What's that?)

CVE: CVE-2010-5097 (What's that?)

Problem Description: Failing to properly sanitize user input the click enlarge functionality is susceptible to Cross-Site Scripting. The problem only exists if the TYPO3 caching framework is turned on by configuration.

Solution: Update to the TYPO3 versions 4.3.9 or 4.4.5 that fix the problem described. TYPO3 versions 4.2.x are not affected.

Credits: Credits go to Andreas Weber who discovered and reported the issue.

 

Vulnerability Type: Cross-Site Scripting

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:N/A:N/E:F/RL:OF/RC:C) (What's that?)

CVE: CVE-2010-5098 (What's that?)

Problem Description: For a regular editor it is possible to inject arbitrary HTML or JavaScript into the FORM content object. A valid backend login is required to exploit this vulnerability.

Solution: Update to the TYPO3 versions 4.2.16, 4.3.9 or 4.4.5 that fix the problem described.

Credits: Credits go to Security Team Member Helmut Hummel who discovered and reported the issue.

  

Vulnerable subcomponent #2: PHP file inclusion protection API

Vulnerability Type: Arbitrary Code Execution

Severity: High

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C (What's that?)

CVE: CVE-2010-5099 (What's that?)

Problem Description: Because of insufficient validation of user input it is possible to circumvent the check for executable php files in some cases.

Solution: Update to the TYPO3 versions 4.2.16, 4.3.9 or 4.4.5 that fix the problem described.

Credits: Credits go to Gregor Kopf and Luca Carettoni who discovered and reported the issues.

Vulnerable subcomponent #3: Install Tool

Vulnerability Type: Cross-Site Scripting

Severity: Medium

TODO: Suggested CVSS v2.0: AV:L/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C (What's that?)

CVE: CVE-2010-5100 (What's that?)

Problem Description: Failing to sanitize user input, the TYPO3 Install Toolis susceptible to XSS attacks in several places. A valid Install Tool login is required to exploit these vulnerabilities.

Solution: Update to the TYPO3 versions 4.2.16, 4.3.9 or 4.4.5 that fix the problem described.

Credits: Credits go to Cedric Tissieres who discovered and reported the issues.

Vulnerable subcomponent #4: Backend

Vulnerability Type: Remote File Disclosure

Severity: Low

Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:F/RL:OF/RC:C (What's that?)

CVE: CVE-2010-5101 (What's that?)

Problem Description: Failing to properly validate user input, the TypoScript file inclusion functionality makes it possible to also include arbitrary php files into the TypoScript setup. A valid admin user login is required to exploit this vulnerability.

Solution: Update to the TYPO3 versions 4.2.16, 4.3.9 or 4.4.5 that fix the problem described.

Credits: Credits go to Fabrizio Branca who discovered and reported the issue and also created patches.

 

Vulnerability Type: Path Traversal

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:P/A:P/E:F/RL:OF/RC:C (What's that?)

CVE: CVE-2010-5102 (What's that?)

Problem Description: Failing to sanitize user input, the unzip library is susceptible to Path Traversal.

Solution: Update to the TYPO3 versions 4.2.16, 4.3.9 or 4.4.5 that fix the problem described.

Credits: Credits go to Anthon Pang who discovered and reported the issue.

 

Vulnerability Type: SQL Injection

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:C/I:N/A:N/E:F/RL:OF/RC:C (What's that?)

CVE: CVE-2010-5103 (What's that?)

Problem Description: Failing to sanitize user input, the list module fuctionality is susceptible to SQL injection. A valid backend login with the rights to access the list module is required to exploit this vulnerability.

Solution: Update to the TYPO3 versions 4.2.16, 4.3.9 or 4.4.5 that fix the problem described.

Credits: Credits go to Core Team Member Jigal van Hemert who discovered and reported the issue.

Vulnerable subcomponent #5: Database API

Vulnerability Type: Information Disclosure

Severity: Low

Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C (What's that?)

CVE: CVE-2010-5104 (What's that?)

Problem Description: If the database connection to the MySQL database is set to sql_mode NO_BACKSLASH_ESCAPES the TYPO3 Database API method escapeStrForLike() is failing to properly quote user input, making it is possible to inject wildcards into a LIKE query. This could potentially disclose a set of records that are meant to be kept in secret.

Solution: Update to the TYPO3 versions 4.2.16, 4.3.9 or 4.4.5 that fix the problem described.

Credits: Credits go to Security Team Member Marcus Krause who discovered and reported the issue.

 

 

General Advice: Follow the recommendations that are given in the TYPO3 Security Cookbook. Please subscribe to the typo3-announce mailing list.