TYPO3 13.4.10 and 12.4.29 maintenance releases published
The versions 13.4.10 and 12.4.29 of the TYPO3 Enterprise Content Management System have just been released.
TYPO3 allows to upload files either in the backend user interface as well as in custom developed extensions. To reduce the possibility to upload potential malicious code TYPO3 uses the fileDenyPattern to deny e.g. user submitted PHP scripts from being persisted. Besides that it is possible for any editor to upload file assets using the file module (fileadmin) or changing their avatar image shown in the TYPO3 backend.
Per default TYPO3 allows to upload and store HTML and SVG files as well using the mentioned functionalities. Custom extension implementations probably would also accept those files when only the fileDenyPattern is evaluated.
Since HTML and SVG files - which might contain executable JavaScript code per W3C standard - could be directly displayed in web clients, the whole web application is exposed to be vulnerable concerning Cross-Site Scripting. Currently the following scenarios are known - given an authenticated regular editor is able to upload files using the TYPO3 backend:
SVG files that are embedded using an <img src=”malicious.svg”> tag are not vulnerable since potential scripts are not executed in these scenarios (see https://www.w3.org/wiki/SVG_Security). The icon API of TYPO3 is not scope of this announcement since SVG icons need to be registered using an individual implementation, which is not considered as user submitted content.
The real solution to avoid user submitted content and Cross Site Scripting in HTML and SVG files is to disable the possibility to upload those files in general. The TYPO3 install tool provides according settings in TYPO3_CONF_VARS/SYS which shall not contain HTML and SVG file extensions anymore.
In case editors having access to the TYPO3 backend are not considered as “trustworthy”, administrators have to manually adjust their configuration in order to disallow using these file types in corresponding install tool settings:
While disabling HTML to be uploaded might be possible, disallowing SVG files might not be an option when being used as media assets. For this scenario the additional TYPO3 extension svg_sanitizer has been implemented which makes use of the 3rd party composer package enshrined/svg-sanitize. The scope of this extension is to sanitize and remove potential malicious code from SVG files when being uploaded which concerns the following scenarios:
Besides that, the extension svg_sanitizer is shipped with an upgrade wizard, which allows to sanitize existing SVG files which are persisted in file storages. This can be done by invoking its upgrade wizard using the TYPO3 install tool.
The extension svg_sanitizer at least requires TYPO3 version 8.7.13 or 9.2.0 in order to make use of the mentioned hooks in class GeneralUtility. The extension can be obtained from the following sources:
Credits go to Mohamed Keffous and Nguyen Thanh Nguyen (FortiGuard Labs) who reported the vulnerability concerning SVG files and to TYPO3 framework merger Frank Nägler for providing the additional svg_sanitizer extension - the work time in order to achieve this has been sponsored by TYPO3 GmbH.
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
The versions 13.4.10 and 12.4.29 of the TYPO3 Enterprise Content Management System have just been released.
Łukasz Uznański shares the journey behind the technical achievement to implement a working proof-of-concept for TYPO3 running entirely in the browser…
The Digital Public Goods (DPG) registry has recognized TYPO3’s dedication to sustainable development goals including unrestricted access, innovation…
April’s edition features a new Association board, spring events, announcing the TYPO3 conference, updates of community budget projects, and inviting…
The TYPO3 Best Practices Team gathered for another Remote Day. This time Bernd Sengupta and Eike Starkmann joined the team members Oliver Klee and…
In his talk at T3CON24, Janus Boye shared the challenges open source content management systems (CMS) face in the present and future- and how we can…