Vulnerabilities in TYPO3 Core

Categories: TYPO3 CMS Created by Helmut Hummel
It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting, Authentication Bypass for frontend users and Information Disclosure.

Component Type: TYPO3 Core

Affected Versions: 4.2.11 and below, 4.3.1 and below

Vulnerability Types: Authentication Bypass, Cross-Site Scripting (XSS), Information Disclosure

Overall Severity: High

Release Date: February 23, 2010

Vulnerable subcomponent #1: Backend

Vulnerability Type: Information Disclosure

Severity: Medium

Problem Description: When a sys_action task is set up for creation of new backend users, the executing (unprivileged) user can get hold of personal data (except the password) of any existing backend user. A valid backend login is required to exploit this vulnerability.

Solution: Update to the TYPO3 versions 4.2.12 or 4.3.2 that fix the problem described.

Credits: Credits go to Security Team member Georg Ringer who discovered and reported the issue.

Vulnerability Type: Cross-Site Scripting

Severity: Medium

Problem Description: Failing to sanitize user input the TYPO3 backend is susceptible to XSS attacks in several places. A valid backend login is required to exploit these vulnerabilities.

Solution: Update to the TYPO3 versions 4.2.12 or 4.3.2 that fix the problem described.

Credits: Credits go to Nikolas Hagelstein and Jelmer de Hen along with Security Team members Marcus Krause and Georg Ringer who discovered and reported the issues.

Vulnerable subcomponent #2: Frontend

Vulnerability Type: Cross-Site Scripting

Severity: Medium

Problem Description: When running TYPO3 on PHP as CGI, under certain circumstances, a malicious URL parameter can be provided for the index.php, forcing TYPO3 to output an error message and showing arbitrary injected HTML.

Solution: Update to the TYPO3 versions 4.2.12 or 4.3.2 that fix the problem described.

Credits: Credits go to Henry Sudhof who discovered and reported the issue.

Vulnerable subcomponent #3: Frontend Login

Vulnerability Type: Authentication Bypass

Severity: High

Problem Description: When using system extension "saltedpasswords" under certain circumstances, an attacker doesn't need to know the original clear text password to successfully log in as a frontend user. If the TYPO3 CMS is configured to use several authentication services for the frontend, knowing the salted hashed password will enable an attacker to authenticate against the system. Only TYPO3 versions 4.3.x with enabled system extension "saltedpasswords" are affected.

TYPO3 system extension "saltedpasswords" is disabled by default; enabling it requires a manual change in system configuration.

Solution: Update to the TYPO3 versions 4.3.2 that fix the problem described or configure "saltedpasswords" to be the only authentication service (see its manual) for frontent users.

Credits: Credits go to Sven Haertwig who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 SECURITY Guide. Please subscribe to the typo3-announce mailing list