Professional Content Management

Free and open source, TYPO3 CMS is the most widely used enterprise-level CMS.

Test TYPO3 now:

TYPO3 live demo

Inspire people to share

Offer your skills and contribute to the project. The community is growing and does more than just coding. 

A Community Effort

TYPO3 CMS is an Open Source project managed by the TYPO3 Association.

The Project

Do you have a question?

Ask the community or a professional partner.

TYPO3-20051114-5: TYPO3 Security Bulletin

Categories: TYPO3 CMS Created by Ekkehard Gümbel
For convenience, the TYPO3 Install Tool provides a button sets the "encryptionKey" to a random value. It has been observed that only parts of the generated value are actually random. The overall key is therefore unique and -as of today- considered sufficiently secure. However, the effective key length is not the intended one.

Component Type: Core

Affected Components: Install Tool "encryptionKey" Generation

Versions: TYPO3 3.8.0 and earlier

Vulnerability Type: Key Length

Severity: Low

Problem Description:
For convenience, the TYPO3 Install Tool provides a button sets the "encryptionKey" to a random value. It has been observed that only parts of the generated value are actually random. The overall key is therefore unique and -as of today- considered sufficiently secure. However, the effective key length is not the intended one.

Solution:

The solution is part of the general maintenance upgrade to TYPO3 version 3.8.1, which all users of TYPO3 are advised to implement. It contains a fix for the affected routine.

Credits:
Thanks to Jochen Weiland for notifying us.