Missing Access Check in TYPO3 CMS

Categories: TYPO3 CMS Created by Helmut Hummel
It has been discovered, that TYPO3 CMS lacks an access check for Extbase actions.

Component Type: TYPO3 CMS

Release Date: May 24, 2016

Vulnerable subcomponent: Extbase

Vulnerability Type: Missing access check

Affected Versions: Versions 4.3.0 up to 8.1.0

Severity: Critical

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:O/RC:C

CVE: CVE-2016-5091

Problem Description: Extbase request handling fails to implement a proper access check for requested controller/ action combinations, which makes it possible for an attacker to execute arbitrary Extbase actions by crafting a special request. To successfully exploit this vulnerability, an attacker must have access to at least one Extbase plugin or module action in a TYPO3 installation. The missing access check inevitably leads to information disclosure or remote code execution, depending on the action that an attacker is able to execute.

Solution: Update to TYPO3 versions 6.2.24, 7.6.8 or 8.1.1 that fix the problem described.

Alternative Solution: Apply the patches suitable for your TYPO3 branch manually.

Alternative Solution: Download the zip archive which contains a folder with a script and patches for all affected TYPO3 versions. (Please note: If you were quick and applied the zip file before the regression was fixed, you need to download this undo zip archive, which contains a script to revert the patches. After running the script, you have to use the script from above to secure your TYPO3 CMS instances.)

Notes: TYPO3 installations with at least one publicly available Extbase action, are exploitable without any further authentication.

TYPO3 installations without publicly available Extbase actions, are still exploitable for authenticated backend users with access to a backend module, which is based on Extbase.

Important Note: The fix introduced changes in the internal request handling of Extbase. In case an such unlikely incompatibility with any extension (that relies on internal API) occurs, the TYPO3 installation still remains fully available and functional, with only little minor issues in Extbase form validation handling.

Users of any TYPO3 version from 4.3.0 to 8.1.0 are strongly encouraged to upgrade or to at least apply the patches provided below.

Please note, that patching a not supported TYPO3 version can be considered only as temporary mitigation. Upgrade to a supported versions should be performed as soon as possible.

Credits: Thanks to Stefan Horlacher from Arcus Security GmbH who discovered and reported the issue, Alex Kellner, who also reported the issue and Oliver Hader for discovering a related vulnerability.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.