TYPO3-CORE-SA-2013-001: SQL Injection and Open Redirection in TYPO3 Core

Categories: TYPO3 CMS Created by Helmut Hummel
It has been discovered that TYPO3 Core is susceptible to SQL Injection and Open Redirection

Component Type: TYPO3 Core

Affected Versions: 4.5.0 up to 4.5.23, 4.6.0 up to 4.6.16, 4.7.0 up to 4.7.8 and 6.0.0 up to 6.0.2

Vulnerability Types: SQL Injection, Open Redirection

Overall Severity: High

Release Date: March 6, 2013

Vulnerable subcomponent: Extbase Framework

Vulnerability Type: SQL Injection

Severity: Critical

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:C/I:C/A:N/E:H/RL:O/RC:C (What's that?)

Problem Description: Failing to sanitize user input, the Extbase database abstraction layer is susceptible to SQL Injection. TYPO3 sites which have no Extbase extensions installed are not affected. Extbase extensions are affected if they use the Query Object Model and relation values are user generated input. (e.g. : $query->contains('model.categories', $userProvidedValue) )

Solution: Update to the TYPO3 version 4.5.24, 4.6.17, 4.7.9 or 6.0.3 that fix the problem described!

Credits: Credits go to Helmut Hummel and Markus Opahle who discovered and reported the issue.

Note: It has been reported to the TYPO3 Security Team that this problem is known and exploited in the wild.

Vulnerable subcomponent: Access tracking mechanism

Vulnerability Type: Open Redirection

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:H/RL:O/RC:C (What's that?)

Problem Description: Failing to validate user provided input, the access tracking mechanism allows redirects to arbitrary URLs.

Solution: Update to the TYPO3 version 4.5.24, 4.6.17, 4.7.9 or 6.0.3 that fix the problem described!

Important Notes: To fix this vulnerability, we had to break existing behaviour of TYPO3 sites that use the access tracking mechanism (jumpurl feature) to transform links to external sites. The link generation has been changed to include a hash that is checked before redirecting to an external URL. This means that old links that have been distributed (e.g. by a newsletter) will not work any more. If you are using the jumpurl feature you need to do the following:

  • Clear the TYPO3 caches to prevent old links without required validation hash will be delivered

If it is important that already distributed links  (e.g. by directmail newsletter module) are still working, you have to additionally:

  • Install the provided extension (t3x, zip) which covers the following cases:
    • URLs which are present in pages or content elements are allowed to be redirected to, even if the validation hash is missing or wrong.
    • URLs which are present in newletters sent using the third party module "directmail" are allowed to be redirected to, even if the validation hash is missing or wrong.

If the above usecases do not cover your needs, you need to:

  • Adapt the provided extension or create your own extension with a redirect handler that fits your needs.

If you have further questions regarding this issue, feel free to ask on a public mailing list or in our forum to get the needed support.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.