Privilege Escalation in Extension Repository (TER)

It has been discovered that the TYPO3 Extension Repository (TER) is vulnerable to privilege escalation.

Component Type: TYPO3 Extension Repository (TER) at extensions.typo3.org

Release Date: September 6, 2017

Vulnerability Type: Privilege Escalation

Vulnerable subcomponent: SOAP web service

Severity: Critical

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:U/RC:C

CVE: not assigned yet

Problem Description: Due to incomplete user authentication it has been possible to gain privileged access to manage any extension on extensions.typo3.org without being properly authenticated using the SOAP web service since the launch of extensions.typo3.org on August 23rd. In theory this would have allowed in the mentioned timeframe to remove extension keys, to remove existing extension versions as well as to (re-)upload new extension versions. This vulnerability could be exploited having knowledge of a valid extension key and a valid typo3.org user account name - an arbitrary password could be used to bypass the authentication process. Concerning existing extension releases before August 22nd, 2017 no compromised code could be found by comparing SHA-256 checksums from previous typo3.org storage with current extensions.typo3.org storage. However, for 56 newly uploaded extension versions that were only available on extensions.typo3.org there is NO guarantee that these packages do not contain malware or have not been compromised in any way.

Check the list of possible compromised extension releases:

  • advancedtitle (0.0.4, 0.0.5)
  • aimeos (17.7.1)
  • aimeos_pay (17.8.0, 17.8.1)
  • aip_vimeo (8.7.3)
  • aws_sdk_php (3.33.4, 3.34.0, 3.34.1, 3.34.2, 3.35.0, 3.35.1, 3.35.2)
  • cart_pdf (1.3.0, 2.0.0, 2.0.1)
  • cl_metatags (2.0.4)
  • cookie_hint (1.0.0, 1.0.1, 1.0.2)
  • cookie_question (0.1.0)
  • datamints_feuser
  • (0.11.7, 0.11.8)
  • div2007 (1.7.10)
  • femanager (3.1.1)
  • feusersmap (0.8.2)
  • frp_form_answers (1.0.0, 1.0.1)
  • go_maps_ext (2.3.0)
  • hh_ckeditor_custom (0.1.1)
  • ipm_cline (1.2.0)
  • includekrexx (2.3.0)
  • maps2 (2.9.0)
  • my_user_management (3.3.0, 3.3.1, 3.3.2, 3.3.3)
  • news (6.1.0)
  • patchem (0.1.0)
  • powermail (3.22.0)
  • px_hybrid_auth (3.1.1)
  • px_semantic (2.5.0)
  • realurl_clearcache2 (1.0.0, 1.0.1, 2.0.0)
  • recordsmanager (1.4.0)
  • skfbalbums (0.0.1, 0.0.2)
  • static_info_tables_pt (6.3.2)
  • test_foo (0.1.0, 0.1.1)
  • turn (0.1.1)
  • url_redirect (1.1.0, 1.1.1)
  • vhs (4.3.0)
  • wfqbe (7.6.2)

Solution: All extensions that have been uploaded to extensions.typo3.org since August 23rd, 2017 have been marked as insecure. Extension owners have been informed to provide new releases of their according extensions. Extensions that are listed as possibly compromised above have to be deleted from TYPO3 installations or replaced by newer extension releases. Users of these extensions are advised to update as soon as possible.

Credits: Credits go to Benjamin Serfhos who discovered and reported the vulnerability and to TYPO3 security team leader Helmut Hummel who analyzed and fixed the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.