TYPO3 Security Bulletin

Categories: TYPO3 CMS Created by Ekkehard Gümbel
In the past, a "Shift Reload" from the browser (AKA a GET request with the "no-cache" pragma set) cleared the TYPO3 cache of the requested page. This may be considered a potential target for Denial of Service attacks.

Component Type: Core

Affected Components: TYPO3 Page Cache

Versions: TYPO3 3.8.0 and earlier

Vulnerability Type: Denial of Service

Severity: Low

Problem Description:
In the past, a "Shift Reload" from the browser (AKA a GET request with the "no-cache" pragma set) cleared the TYPO3 cache of the requested page. This may be considered a potential target for Denial of Service attacks.

Solution:

The solution is part of the general maintenance upgrade to TYPO3 version 3.8.1, which all users of TYPO3 are advised to implement. In this version, the TYPO3 cache of the page is only cleared if the "Shift Reload" is issued out of a valid backend session.