TYPO3-CORE-SA-2011-002: Potential SQL injection vulnerability in TYPO3 Core

Categories: TYPO3 CMS Created by Helmut Hummel
It has been discovered that the TYPO3 prepared statement database API allows SQL Injections.

Component Type: TYPO3 Core

Affected Versions: 4.5.0 - 4.5.5

Release Date: September 14, 2011

Vulnerable subcomponent: Database API

Vulnerability Type: SQL Injection

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C (What's that?)

Problem Description: Failing to properly replace parameter values, the usage of prepared statements could lead to a SQL Injection vulnerability. This issue can only be exploited if two or more parameters are bound to the query and at least two come from user input.

We carefully analysed the usage of prepared queries in the TYPO3 Core and found that it is not exploitable. We are also not aware of any extension in the TER that uses this feature in a exploitable way. Nevertheless all users of TYPO3 4.5.x are adviced to update their installations as soon as possible.

Solution: Update to the TYPO3 version 4.5.6 that fixes the problem described.

Credits: Credits go to Franz G. Jahn who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Cookbook. Please subscribe to thetypo3-announce mailing list to receive future Security Bulletins via E-mail.