- Component Type: TYPO3 CMS
- Vulnerable subcomponent: Frontend Session Handling
- Release Date: December 11, 2018
- Vulnerability Type: Denial of Service
- Affected Versions: 7.0.0-7.6.31 and 8.0.0-8.7.20
- Severity: Medium
- Suggested CVSS v3.0: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:F/RL:O/RC:C
- CVE: not assigned yet
Problem Description
TYPO3’s built-in record registration functionality (aka “basic shopping cart”) using recs URL parameters is vulnerable to denial of service. Failing to properly ensure that anonymous user sessions are valid, attackers can use this vulnerability in order to create an arbitrary amount of individual session-data records in the database.
Solution
Update to TYPO3 versions 7.6.32 or 8.7.21 that fix the problem described. The frontend record registration feature has been deprecated in TYPO3 v8.6.0 and finally was removed in TYPO3 v9.0.0 - thus TYPO3 v9 is not affected.
Strong security defaults - Manual actions required
The frontend record registration feature has been disabled in order to apply strong security defaults. Installations that actually are using this functionality have to enable the feature and its vulnerability again.
This can be done by enabling $GLOBALS['TYPO3_CONF_VARS']['FE']['enableRecordRegistration'] either using Install Tool or according deployment techniques.
Credits
Thanks to Mads Lønne Jensen who reported this issue and to TYPO3 core team member Benni Mack who fixed the issue.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
General Note
All security related code changes are tagged so that you can easily look them up in our review system.