TYPO3 13.1.1, 12.4.15 and 11.5.37 security releases published
The versions 13.1.1, 12.4.15 and 11.5.37 of the TYPO3 Enterprise Content Management System have just been released.
TYPO3 allows to upload files either in the backend user interface as well as in custom developed extensions. To reduce the possibility to upload potential malicious code TYPO3 uses the fileDenyPattern to deny e.g. user submitted PHP scripts from being persisted. Besides that it is possible for any editor to upload file assets using the file module (fileadmin) or changing their avatar image shown in the TYPO3 backend.
Per default TYPO3 allows to upload and store HTML and SVG files as well using the mentioned functionalities. Custom extension implementations probably would also accept those files when only the fileDenyPattern is evaluated.
Since HTML and SVG files - which might contain executable JavaScript code per W3C standard - could be directly displayed in web clients, the whole web application is exposed to be vulnerable concerning Cross-Site Scripting. Currently the following scenarios are known - given an authenticated regular editor is able to upload files using the TYPO3 backend:
SVG files that are embedded using an <img src=”malicious.svg”> tag are not vulnerable since potential scripts are not executed in these scenarios (see https://www.w3.org/wiki/SVG_Security). The icon API of TYPO3 is not scope of this announcement since SVG icons need to be registered using an individual implementation, which is not considered as user submitted content.
The real solution to avoid user submitted content and Cross Site Scripting in HTML and SVG files is to disable the possibility to upload those files in general. The TYPO3 install tool provides according settings in TYPO3_CONF_VARS/SYS which shall not contain HTML and SVG file extensions anymore.
In case editors having access to the TYPO3 backend are not considered as “trustworthy”, administrators have to manually adjust their configuration in order to disallow using these file types in corresponding install tool settings:
While disabling HTML to be uploaded might be possible, disallowing SVG files might not be an option when being used as media assets. For this scenario the additional TYPO3 extension svg_sanitizer has been implemented which makes use of the 3rd party composer package enshrined/svg-sanitize. The scope of this extension is to sanitize and remove potential malicious code from SVG files when being uploaded which concerns the following scenarios:
Besides that, the extension svg_sanitizer is shipped with an upgrade wizard, which allows to sanitize existing SVG files which are persisted in file storages. This can be done by invoking its upgrade wizard using the TYPO3 install tool.
The extension svg_sanitizer at least requires TYPO3 version 8.7.13 or 9.2.0 in order to make use of the mentioned hooks in class GeneralUtility. The extension can be obtained from the following sources:
Credits go to Mohamed Keffous and Nguyen Thanh Nguyen (FortiGuard Labs) who reported the vulnerability concerning SVG files and to TYPO3 framework merger Frank Nägler for providing the additional svg_sanitizer extension - the work time in order to achieve this has been sponsored by TYPO3 GmbH.
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
The versions 13.1.1, 12.4.15 and 11.5.37 of the TYPO3 Enterprise Content Management System have just been released.
The TYPO3 Association has officially launched the third community budget process of 2024.
The choice of an enterprise CMS should not be taken lightly. This guide should support your business in choosing the right enterprise CMS.
Young developers Lisa-Maria Schedlberger & Julia Gruber share their first-hand experience of fun-in-the-sun at TYPO3 Surfcamp.
Register now for T3CON24 and the TYPO3 Awards. Experience three days of innovative talks, networking, and celebrate the community's best at the TYPO3…
Significant progress for TYPO3: Rector rules, image rendering, simplified translation handling, and ACL improvements.