TYPO3-20051114-5: TYPO3 Security Bulletin

Categories: TYPO3 CMS Created by Ekkehard Gümbel
For convenience, the TYPO3 Install Tool provides a button sets the "encryptionKey" to a random value. It has been observed that only parts of the generated value are actually random. The overall key is therefore unique and -as of today- considered sufficiently secure. However, the effective key length is not the intended one.

Component Type: Core

Affected Components: Install Tool "encryptionKey" Generation

Versions: TYPO3 3.8.0 and earlier

Vulnerability Type: Key Length

Severity: Low

Problem Description:
For convenience, the TYPO3 Install Tool provides a button sets the "encryptionKey" to a random value. It has been observed that only parts of the generated value are actually random. The overall key is therefore unique and -as of today- considered sufficiently secure. However, the effective key length is not the intended one.

Solution:

The solution is part of the general maintenance upgrade to TYPO3 version 3.8.1, which all users of TYPO3 are advised to implement. It contains a fix for the affected routine.

Credits:
Thanks to Jochen Weiland for notifying us.