TYPO3-CORE-SA-2012-004: Several Vulnerabilities in TYPO3 Core

Categories: TYPO3 CMS Created by Helmut Hummel
It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting, Information Disclosure, Insecure Unserialize leading to Arbitrary Code Execution

Component Type: TYPO3 Core

Affected Versions: 4.5.0 up to 4.5.18, 4.6.0 up to 4.6.11, 4.7.0 up to 4.7.3 and development releases of the 6.0 branch.

Vulnerability Types: Cross-Site Scripting, Information Disclosure, Insecure Unserialize

Overall Severity: Medium

Release Date: August 15, 2012

Vulnerable subcomponent: TYPO3 Backend Help System

Vulnerability Type: Insecure Unserialize leading to a possible Arbitrary Code Execution

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:C/A:N/E:P/RL:O/RC:C (What's that?)

Problem Description: Due to a missing signature (HMAC) for a parameter in the view_help.php file, an attacker could unserialize arbitrary objects within TYPO3. We are aware of a working exploit, which can lead to arbitrary code execution. A valid backend user login or multiple successful cross site request forgery attacks are required to exploit this vulnerability.

Solution: Update to the TYPO3 version 4.5.19, 4.6.12 or 4.7.4 that fix the problem described!

Credits: Credits go to Felix Wilhelm who discovered and reported the issue.

Vulnerable subcomponent: TYPO3 Backend

Vulnerability Type: Cross-Site Scripting

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C (What's that?)

Problem Description: Failing to properly HTML-encode user input in several places, the TYPO3 backend is susceptible to Cross-Site Scripting. A valid backend user is required to exploit these vulnerabilities.

Solution: Update to the TYPO3 version 4.5.19, 4.6.12 or 4.7.4 that fix the problem described!

Credits: Credits go to Pavel Vaysband, Security Team Member Markus Bucher, Core Team Member Susanne Moog, Jan Bednarik,  who discovered and reported the issues.

Vulnerable subcomponent: TYPO3 Backend

Vulnerability Type: Information Disclosure

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:O/RC:C (What's that?)

Problem Description: Accessing the configuration module discloses the Encryption Key. A valid backend user with access to the configuration module is required to exploit this vulnerability.

Solution: Update to the TYPO3 version 4.5.19, 4.6.12 or 4.7.4 that fix the problem described!

Credits: Credits go to Mario Rimann who discovered and reported the issue.

Vulnerable subcomponent: TYPO3 HTML Sanitizing API

Vulnerability Type: Cross-Site Scripting

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:O/RC:C (What's that?)

Problem Description: By not removing several HTML5 JavaScript events, the API method t3lib_div::RemoveXSS() fails to filter specially crafted HTML injections, thus is susceptible to Cross-Site Scripting. Failing to properly encode for JavaScript the API method t3lib_div::quoteJSvalue(), it is susceptible to Cross-Site Scripting.

Note: Developers should never rely on the blacklist of RemoveXSS() alone, but should always properly encode user input before outputting it again.

Solution: Update to the TYPO3 version 4.5.19, 4.6.12 or 4.7.4 that fix the problem described!

Credits: Credits go to Andreas Schnapp and Christian Nösterer who discovered and reported the issues.

Vulnerable subcomponent: TYPO3 Install Tool

Vulnerability Type: Cross-Site Scripting

Severity: Low

Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C (What's that?)

Problem Description: Failing to properly sanitize user input, the Install Tool is susceptible to Cross-Site Scripting.

Solution: Update to the TYPO3 version 4.5.19, 4.6.12 or 4.7.4 that fix the problem described!

Credits: Credits go to Security Team Member Georg Ringer who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.