TYPO3-SA-2010-012: Multiple vulnerabilities in TYPO3 Core

Categories: TYPO3 CMS Created by Helmut Hummel
It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting (XSS), Open Redirection, SQL Injection, Broken Authentication and Session Management, Insecure Randomness, Information Disclosure, Arbitrary Code Execution

Component Type: TYPO3 Core

Affected Versions: 4.1.13 and below, 4.2.12 and below, 4.3.3 and below, 4.4

Vulnerability Types: Cross-Site Scripting (XSS), Open Redirection, SQL Injection, Broken Authentication and Session Management, Insecure Randomness, Information Disclosure, Arbitrary Code Execution

Overall Severity: High

Release Date: July 28, 2010

Vulnerable subcomponent #1: Backend

Vulnerability Type: Cross-Site Scripting

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C (What's that?)

Problem Description: Failing to sanitize user input the TYPO3 backend is susceptible to XSS attacks in several places. A valid backend login is required to exploit these vulnerabilities.

Solution: Update to the TYPO3 versions 4.1.14, 4.2.13, 4.3.4 or 4.4.1 that fix the problem described.

Credits: Credits go to Jelmer de Hen, Nikolas Hagelstein, Daniel Sloof, Core Team Member Tobias Liebig, Security Team members Georg Ringer, Dmitry Dulepov and Helmut Hummel who discovered and reported the issues.

Vulnerability Type: Open Redirection

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C (What's that?)

Problem Description: Failing to sanitize user input the TYPO3 backend is susceptible to open redirection in several places.

Solution: Update to the TYPO3 versions 4.1.14, 4.2.13, 4.3.4 or 4.4.1 that fix the problem described.

Credits: Credits go to Maxime Verroye and Security Team member Helmut Hummel who discovered and reported the issue.

Vulnerability Type: SQL Injection

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C (What's that?)

Problem Description: Failing to properly escape user input for a database query, some backend record editing forms are susceptible to SQL injections. This is only exploitable by an editor who have the right to edit records which have a special "where" query definition in TCA or records which use the auto suggest feature available in TYPO3 versions 4.3 or higher.

Solution: Update to the TYPO3 versions 4.1.14, 4.2.13, 4.3.4 or 4.4.1 that fix the problem described.

Credits: Credits go to Marc Bastian Heinrichs, Core Team member Steffen Kamper and Security Team member Helmut Hummel who discovered and reported the issues.

Vulnerability Type: Arbitrary Code Execution

Severity: None/High (Depending on the webserver configuration)

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:C/I:C/A:N/E:POC/RL:OF/RC:C (What's that?)

Problem Description: Because of a not sufficiently secure default value of the TYPO3 configuration variable fileDenyPattern allows backend users to upload files with .phtml file extension which may be executed as PHP with certain webserver setups. The new default value for the fileDenyPattern now is: \.(php[3-6]?|phpsh|phtml)(\..*)?$|^\.htaccess$

Note: Please also read an older bulletin and a blog article for further information about the fileDenyPattern.

Solution: Update to the TYPO3 versions 4.1.14, 4.2.13, 4.3.4 or 4.4.1 that fix the problem described.

Credits: Credits go to Core Team member Ernesto Baschny who discovered and reported the issue.

Vulnerability Type: Information Disclosure

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C (What's that?)

Problem Description: If an extension with a defective backend module is installed, TYPO3 will issue a error message which reveals the complete path to the web root.

Solution: Update to the TYPO3 versions 4.1.14, 4.2.13, 4.3.4 or 4.4.1 that fix the problem described.

Credits: Credits go to Core Team member Dmitry Dulepov who discovered and reported the issue.

Vulnerability Type: Information Disclosure/ Cross-Site Scripting

Severity: Low

Suggested CVSS v2.0: AV:N/AC:H/Au:M/C:C/I:C/A:C/E:U/RL:OF/RC:C (What's that?)

Problem Description: Failing to properly validate and escape user input, the Extension Manager is susceptible to XSS. Additionally by forging a special request parameter it is possible to view (and edit under special conditions) the contents of every file the webserver has access to. A valid admin user login is requred to exploit this vulnerability.

Solution: Update to the TYPO3 versions 4.1.14, 4.2.13, 4.3.4 or 4.4.1 that fix the problem described.

Credits: Credits go to Tim Lochmüller who discovered and reported the issue.

Vulnerable subcomponent #2: User authentication

Vulnerability Type: Insecure Randomness

Severity: Very Low

Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C (What's that?)

Problem Description: As a precaution to PHP's weak randomness in the uniqid() function, the random byte generation function t3lib_div::generateRandomBytes() has been vastly improved, especially for Windows systems. In addition TYPO3 now uses this function to generate a session id for frontend and backend authentication instead of PHP's uniqid().

Note: Nevertheless the probability of guessing the session id was very low even before this improvement.

Solution: Update to the TYPO3 versions 4.1.14, 4.2.13, 4.3.4 or 4.4.1 that fix the problem described.

Credits: Sascha Kettler and Security Team member Marcus Krause who discovered and reported the issue and provided the patch for improving the random byte generation.

Vulnerable subcomponent #3: Frontend

Vulnerability Type: Spam Abuse

Severity: High

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:N/A:N/E:POC/RL:OF/RC:C (What's that?)

Problem Description: Failing to check the for valid parameters, the native form content element is susceptible to spam abuse. An attacker could abuse the form to send mails to arbitrary email addresses.

Solution: Update to the TYPO3 versions 4.1.14, 4.2.13, 4.3.4 or 4.4.1 that fix the problem described.

Credits: Credits go to Lars Houmark who discovered and reported the issue.

Vulnerability Type: Header Injection

Severity: Low/High (depending on the PHP version used)

Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C (What's that?)

Problem Description: Failing to sanitize user input, secure download feature (jumpurl) of TYPO3 is susceptible to header injection / manipulation.

Note: Since PHP versions 4.4.2 or higher and 5.1.2 or higher it is no longer possible to send more than one header at once. This mitigates the impact of this vulnerability, making it only possible to spoof the mime type of the download.

Solution: Update to the TYPO3 versions 4.1.14, 4.2.13, 4.3.4 or 4.4.1 that fix the problem described.

Credits: Credits go to Maxime Verroye who reported the issue.

Vulnerable subcomponent #4: Frontend Login

Vulnerability Type: Open Redirection, Cross-Site Scripting

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C (What's that?)

Problem Description: Failing to sanitize user input the frontend login box is susceptible to Open Redirection and Cross-Site scripting.

Solution: Update to the TYPO3 versions 4.2.13, 4.3.4 or 4.4.1 that fix the problem described. Versions 4.1.x are not affected due to the lack of the felogin system extension.

Credits: Credits go to Franz G. Jahn who discovered and reported the issue.

Vulnerability Type: Insecure Randomness

Severity: High

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C (What's that?)

Problem Description: The "forgot password" function generates a hash which is verified to authenticate the password change request. Because of very low randomness while generating the hash, especially on Windows systems, brute forcing the hash value is possible in a short timeframe.

Solution: Update to the TYPO3 versions 4.3.4 or 4.4.1 that fix the problem described. Versions 4.1.x and 4.2.x are not affected due to the lack of this functionality.

Credits: Credits go to Manuel Stofer who discovered and reported the issue.

Vulnerable subcomponent #5: Install Tool

Vulnerability Type: Broken Authentication and Session Management

Severity: Low

Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:C/I:C/A:N/E:POC/RL:OF/RC:C (What's that?)

Problem Description: TYPO3 authenticates install tool users without invalidating a supplied session identifier. Therefore, TYPO3 is open for session fixation attacks, making an attacker able to hijack a victim's session.

Solution: Update to the TYPO3 versions 4.1.14, 4.2.13, 4.3.4 or 4.4.1 that fix the problem described.

Credits: Credits go to Security Team member Marcus Krause who discovered and reported the issue.

Vulnerable subcomponent #6: FLUID Templating Engine

Vulnerability Type: Cross-Site Scripting

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C (What's that?)

Problem Description: Failing to escape the output, using the textarea view helper in an extbase extension leads to a XSS vulnerability if the extension author does not take care of escaping the output.

Solution: Update to the TYPO3 versions 4.3.4 or 4.4.1 that fix the problem described.

Credits: Credits go to Core Team member Sebastian Kurfürst who discovered and reported the issue.

Vulnerable subcomponent #7: Mailing API

Vulnerability Type: Information Disclosure

Severity: Very Low

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C (What's that?)

Problem Description: The TYPO3 HTML mailing API class t3lib_htmlmail includes the exact version number of the TYPO3 installation in the mail header.

Solution: Update to the TYPO3 versions 4.2.13, 4.3.4 or 4.4.1 that fix the problem described. Versions 4.1.x are not affected.

Credits: Credits go to Kai Vogel who discovered and reported the issue.

Vulnerable subcomponent #8: Introduction Package

Vulnerability Type: Cross-Site Scripting

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C (What's that?)

Problem Description: Failing to properly escape the output, the frontend search box is susceptible to XSS.

Solution: Update to version 4.4.1 of the introduction package that fix the problem described.

Credits: Credits go to Alexandre Gravel-Raymond and Security Team member Georg Ringer who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Cookbook. Please subscribe to the typo3-announce mailing list