Security Bulletins: Important Security Enhancements in TYPO3 3.8.1

Categories: Security Created by Ekkehard Gümbel
Multiple TYPO3 Security Bulletins have been issued, all of which are addressed by the release of TYPO3 3.8.1.

Over the years, TYPO3 has become very mature in many respects, one of which is the seriousness that is being put on security matters. Therefore the current release 3.8.1 contains some improvements as listed below.


------------------------------
Note: For the forthcoming version TYPO3 4.0 we are planning to have another general code review of the core - provided that we receive some funding for it. If you are able to contribute, please contact the TYPO3 security team or the TYPO3 Association. Thank you!
------------------------------

TYPO3-20051114-1: Backup Files Protection
The file editor functionality in the TYPO3 Install Tool (menu option "Edit files in typo3conf/") has an option that reads "Make backup copy". If set, this will create a backup copy and append a "~" to the original file name. This leads to file names that may be delivered as text files by a web server. Thus, sensitive information (e.g. the content of localconf.php) may be disclosed. 

TYPO3-20051114-2: showpic.php
A Cross Site Scripting issue has been found in showpic.php. 

TYPO3-20051114-3: PhpMyAdmin
Various security issues have been reported for PhpMyAdmin (see www.securityfocus.com/bid/15196 for details.)

TYPO3-20051114-4: "Shift-Reload"
In the past, a "Shift Reload" from the browser (AKA a GET request with the "no-cache" pragma set) cleared the TYPO3 cache of the requested page. This may be considered a potential target for Denial of Service attacks.

TYPO3-20051114-5: encryptionKey
For convenience, the TYPO3 Install Tool provides a button sets the "encryptionKey" to a random value. It has been observed that only parts of the generated value are actually random. The overall key is therefore unique and -as of today- considered sufficiently secure. However, the effective key length is not the intended one. 

TYPO3-20051114-6: config.baseURL
Under special circumstances, setting config.baseURL (see typo3.org/documentation/document-library/doc_core_tsref/quot_CONFIG_quot/ ) to a numeric value ("1") could be used to spoof a malicious baseURL into your TYPO3 cache. It has now been decided to technically prevent this misconfiguration. 

TYPO3-20051114-7: fileadmin/_temp_/
Situations are imaginable where sensitive information gets stored in the fileadmin/_temp_/ directory. If misconfigured in your web server, this directory can be browsable and therefore expose that information.

And: Please make sure to subscribe to the TYPO3 Announcement mailing list (http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-announce) to receive future announcements.