TYPO3-CORE-SA-2012-003: Cross-Site Scripting Vulnerability in TYPO3 Core

Categories: TYPO3 CMS Created by Marcus Krause
It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting.

Component Type: TYPO3 Core

Affected Versions: 4.5.0 up to 4.5.16, 4.6.0 up to 4.6.9, 4.7.0 up to 4.7.1 and development releases of the 6.0 branch.

Bulletin history: July 4, 2012 - corrected Secunia Advisory ID

Vulnerable subcomponent: Flash File Uploader

Vulnerability Type: Cross-Site Scripting

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C (What's that?)

CVE: CVE-2012-3414

Problem Description: TYPO3 bundles and uses an external JavaScript & Flash Upload Library called swfupload. TYPO3 can be configured to use this Flash uploader. Input passed via the "movieName" parameter to swfupload.swf is not properly sanitised before being used in a call to "ExternalInterface.call()". This can be exploited to execute arbitrary script code in a user's browser session in context of an affected site. The existance of the swfupload library is sufficient to be vulnerable to the reported problem.

Note: The vulnerability in the swfupload library is addressed by Secunia Advisory SA49651.

Solution: Update to the TYPO3 versions 4.5.17, 4.6.10 or 4.7.2 that fix the problem described!

Credits: Credits go to Nathan Partlan and Neal Poole who discovered the original movieName XSS vulnerability in the swfupload library and Lukas Reschke who reported the problem to the TYPO3 Security Team.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.