Component Type: TYPO3 Core
Affected Versions: 4.4.0 up to 4.4.13, 4.5.0 up to 4.5.13, 4.6.0 up to 4.6.6 and development releases of the 4.7 and 6.0 branch.
Vulnerability Types: Cross-Site Scripting, Information Disclosure, Insecure Unserialize
Overall Severity: Medium
Release Date: March 28, 2012
Updated: March 30, 2012 (added CVEs)
Vulnerable subcomponent: Extbase Framework
Affected Versions: Versions 4.4.x and 4.5.x are not affected by this vulnerabilty.
Vulnerability Type: Insecure Unserialize
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C (What's that?)
CVE: CVE-2012-1605 (What's that?)
Problem Description: Due to a missing signature (HMAC) for a request argument, an attacker could unserialize arbitrary objects within TYPO3.
To our knowledge it is neither possible to inject code through this vulnerability, nor are there exploitable objects within the TYPO3 Core. However, there might be exploitable objects within third party extensions.
Solution: Update to the TYPO3 version 4.6.7 that fix the problem described!
Note: The same problem applies to FLOW3. Read the according advisory TYPO3-FLOW3-SA-2012-001 for more information.
Credits: Credits go to Security Team Member Helmut Hummel who discovered and reported the issue.
Vulnerable subcomponent: TYPO3 Backend
Vulnerability Type: Cross-Site Scripting
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C (What's that?)
CVE: CVE-2012-1606 (What's that?)
Problem Description: Failing to properly HTML-encode user input in several places, the TYPO3 backend is susceptible to Cross-Site Scripting. A valid backend user is required to exploit these vulnerabilities.
Solution: Update to the TYPO3 versions 4.4.14, 4.5.14 or 4.6.7 that fix the problem described!
Important Note: With these TYPO3 versions the description field of the filelink content element is HTML encoded by default. If you allowed editors to enter HTML code in this field, you may want to add the following line to your TypoScript template, before updating.
tt_content.uploads.20.itemRendering.20.2.htmlSpecialChars = 0
Allowing HTML in this field is discouraged for editors, same as allowing the plain HTML content element.
Credits: Credits go to Security Team Members Georg Ringer and Oliver Klee who discovered and reported the issues.
Vulnerable subcomponent: TYPO3 Command Line Interface
Vulnerability Type: Information Disclosure
Severity: Low
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C (What's that?)
CVE: CVE-2012-1607 (What's that?)
Problem Description: Accessing a CLI Script directly with a browser may disclose the database name used for the TYPO3 installation.
Solution: Update to the TYPO3 versions 4.4.14, 4.5.14 or 4.6.7 that fix the problem described!
Credits: Credits go to Chris John Riley who discovered and reported the issue.
Vulnerable subcomponent: TYPO3 HTML Sanitizing API
Vulnerability Type: Cross-Site Scripting
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C (What's that?)
CVE: CVE-2012-1608 (What's that?)
Problem Description: By not removing non printable characters, the API method t3lib_div::RemoveXSS() fails to filter specially crafted HTML injections, thus is susceptible to Cross-Site Scripting.
Note: Developers should never rely on the blacklist of RemoveXSS() alone, but should always properly encode user input before outputting it again.
Solution: Update to the TYPO3 versions 4.4.14, 4.5.14 or 4.6.7 that fix the problem described!
Credits: Credits go to Marc Wöhlken who discovered and reported the issue.
General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.