Component Type: TYPO3 Core
Vulnerability Types: Cross-Site Scripting, Remote Code Execution
Overall Severity: Critical
Release Date: September 4, 2013
Vulnerable subcomponent: File handling / File Abstraction Layer
Vulnerability Type: Incomplete Access Management
Affected Versions: All versions from 6.0.0 up to the development branch of 6.2
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C (What's that?)
CVE: CVE-2013-4320
Problem Description: TYPO3 comes with the possibility to restrict editors to certain file actions (copy, delete, move etc.) and to restrict these actions to be performed in certain locations (file mounts). This permission handling was only partly implemented with the introduction of the File Abstraction Layer (FAL). The file action permissions that can be set in backend user and group records were not respected and users could break out of file mounts by crafting URLs. Thus, unprivileged users could create or read arbitrary files within or outside the document root.
Solution: Update to the TYPO3 version 6.0.9, 6.1.4 or the latest development version! It is important to clear all caches (clear cache all in the backend or deleting the complete typo3temp/Cache directory) for the changes to take effect after the TYPO3 source files have been updated!
Notes: Administrators are advised to set file permissions for backend users or groups by using user TS Config instead of using the file permission check boxes in the user or group records. This allows more fine grained control for single file action permissions.
Example for setting default permissions for users or groups in User TSConfig:
permissions.file.default { addFile = 0 readFile = 1 writeFile = 1 copyFile = 1 moveFile = 1 renameFile = 0 unzipFile = 0 deleteFile = 0 addFolder = 1 readFolder = 1 writeFolder = 1 copyFolder = 1 moveFolder = 0 renameFolder = 0 deleteFolder = 1 recursivedeleteFolder = 1 }
Example setting permissions for storage with ID 1 (overriding default settings):
permissions.file.storage.1 { addFile = 1 readFile = 1 writeFile = 1 copyFile = 1 moveFile = 1 renameFile = 0 unzipFile = 0 deleteFile = 0 addFolder = 1 readFolder = 1 writeFolder = 1 copyFolder = 1 moveFolder = 0 renameFolder = 0 deleteFolder = 1 recursivedeleteFolder = 1 }
Credits: Credits go to Sebastian Nerz who discovered and reported the issues, Steffen Ritter and Helmut Hummel for creating the fixes and Anja Leichsenring, Susanne Moog, Michiel Roos, Sascha Egerer and Ernesto Baschny for testing.
Vulnerable subcomponent: File Abstraction Layer
Vulnerability Type: Remote Code Execution
Affected Versions: All versions from 6.0.0 up to the development branch of 6.2
Severity: Critical
Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:O/RC:C (What's that?)
CVE: CVE-2013-4321
Problem Description: The check for denied file extensions implemented in the File Abstraction Layer as mentioned in advisory TYPO3-CORE-SA-2013-002 was incomplete. It was still possible for editors to rename files to have denied file extensions by inserting special characters that were removed at a later point. This (again) allowed authenticated editors to forge php files with arbitrary code, which can then be executed in web server's context.
Solution: Update to the TYPO3 version 6.0.9, 6.1.4 or the latest development version!
Credits: Credits go to Sascha Egerer who discovered and reported the issue.
General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.