TYPO3-CORE-SA-2013-002: Cross-Site Scripting and Remote Code Execution Vulnerability in TYPO3 Core

Categories: TYPO3 CMS Created by Georg Ringer
It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting and Remote Code Execution

Component Type: TYPO3 Core

Vulnerability Types: Cross-Site Scripting, Remote Code Execution

Overall Severity: Critical

Release Date: July 30, 2013

 

Vulnerable subcomponent: Third Party Libraries used for audio and video playback

Vulnerability Type: Cross-Site Scripting

Affected Versions: All versions from 4.5.0 up to the development branch of 6.2

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:O/RC:C (What's that?)

Related CVEs: CVE-2011-3642CVE-2013-1464

Problem Description: TYPO3 bundles flash files for video and audio playback. Old versions of FlowPlayer and flashmedia are susceptible to Cross-Site Scripting. No authentication is required to exploit this vulnerability.

Solution: Update to the TYPO3 version 4.5.29, 4.7.14, 6.0.8 or 6.1.3 that fix the problem described!

Credits: Credits go to Markus Pieton and Vytautas Paulikas who discovered and reported the issues.

 

Vulnerable subcomponent: Backend File Upload / File Abstraction Layer

Vulnerability Type: Remote Code Execution by arbitrary file creation

Affected Versions: All versions from 6.0.0 up to the development branch of 6.2

Severity: Critical

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:O/RC:C (What's that?)

CVE: CVE-2013-4250

Problem Description: The file upload component and the File Abstraction Layer are failing to check for denied file extensions, which allows authenticated editors (even with limited permissions) to upload php files with arbitrary code, which can then be executed in web server's context.

Solution: Update to the TYPO3 version 6.0.8 or 6.1.3 that fix the problem described!

Credits: Credits go to Sebastian Nerz who discovered and reported the issue. 

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.