TYPO3-CORE-SA-2014-001: Multiple Vulnerabilities in TYPO3 CMS

Categories: TYPO3 CMS Created by Helmut Hummel
It has been discovered that TYPO3 CMS is vulnerable to Cross-Site Scripting, Insecure Unserialize, Improper Session Invalidation, Authentication Bypass, Information Disclosure and Host Spoofing.

Component Type: TYPO3 CMS

Vulnerability Types: Cross-Site Scripting, Insecure Unserialize, Improper Session Invalidation, Authentication Bypass, Information Disclosure and Host Spoofing

Overall Severity: Medium

Release Date: May 22, 2014

Vulnerability Type: Host Spoofing

Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13, 6.1.0 to 6.1.8 and 6.2.0 to 6.2.2

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:O/RC:C (What's that?)

CVE: CVE-2014-3941

Problem Description: Failing to properly validate the HTTP host-header TYPO3 CMS is susceptible to host spoofing. TYPO3 uses the HTTP host-header to generate absolute URLs in several places like 404 handling, http(s) enforcement, password reset links and many more. Since the host header itself is provided by the client it can be forged to any value, even in a name based virtual hosts environment. A blog post describes this problem in great detail.

Solution: Update to TYPO3 versions 4.5.34, 4.7.19, 6.0.14, 6.1.9 or 6.2.3 and check or update your web server configuration as described below.

Additional Notes: These versions introduce a new configuration option: 

$GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern']

This option can contain either the value SERVER_NAME or a regular expression pattern that matches all host names that are considered trustworthy for the particular TYPO3 installation. SERVER_NAME is the default value shipped with the above mentioned TYPO3 versions. With this option value in effect, TYPO3 checks the currently submitted host-header against the SERVER_NAME variable. The SERVER_NAME variable contains trusted values in the following cases:

Apache Webserver: Apache is set up to use name based virtual hosts while the TYPO3 installation is part of one virtual host and not the default host. Only values that are part of the ServerName or ServerAlias values in the virtual host configuration are then set as SERVER_NAME.

Nginx Webserver: Nginx is set up with different servers blocks while the TYPO3 installation is not part of the "catch all" server block. By default only the first value of the server_name option is taken into account to populate the SERVER_NAME variable. If you specified more than one server name in your Nginx configuration you have to additionally add the following configuration:
fastcgi_param SERVER_NAME $host;

If TYPO3 is served by Apache from the default host, updating to the current TYPO3 versions is not enough! Apache then sets the SERVER_NAME variable directly to the (untrusted) host-header value. In such a setup you must either set UseCanonicalName On in your Apache configuration, or change the TYPO3 configuration option to a regular expression that matches all trusted host names in your TYPO3 installation.

IMPORTANT: We tried hard to avoid a breaking change with these new versions and at the same time deliver a secure default setup for most users. We may have missed edge cases (like other web servers than the above, or a complex reverse proxy setup) where the default configuration breaks your site after the update. If you have a (server) setup that is considerably different from the scenarios described above, you should test if your TYPO3 installation still works after the update with the provided default configuration.

Credits: Credits go to Security Team Member Helmut Hummel who discovered and reported the issue and to Wouter van Dongen who discovered and reported a particular exploit possibility.

Vulnerable subcomponent: Color Picker Wizard

Vulnerability Type: Insecure Unserialize

Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13 and 6.1.0 to 6.1.8

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:N/I:P/A:P/E:F/RL:O/RC:C (What's that?)

CVE: CVE-2014-3942

Problem Description: Failing to validate authenticity of a passed serialized string, the color picker wizard is susceptible to insecure unserialize, allowing authenticated editors to unserialize arbitrary PHP objects.

Solution: Update to TYPO3 versions 4.5.34, 4.7.19, 6.0.14 or 6.1.9 that fix the problem described. TYPO3 version 6.2 is not affected by this vulnerability.

Credits: Credits go to Security Team member Helmut Hummel who discovered and reported the issue.

Vulnerable subcomponent: Backend

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13, 6.1.0 to 6.1.8 and 6.2.0 to 6.2.2

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C (What's that?)

CVE: CVE-2014-3943

Problem Description: Failing to properly encode user input, several backend components are susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML or JavaScript by crafting URL parameters.

Solution: Update to TYPO3 versions 4.5.34, 4.7.19, 6.0.14, 6.1.9 or 6.2.3 that fix the problem described.

Credits: Credits go to Security Team members Georg Ringer and Franz Jahn and Marc Bastian Heinrichs who discovered and reported the issues.

Vulnerable subcomponent: ExtJS

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13, 6.1.0 to 6.1.8 and 6.2.0 to 6.2.2

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C (What's that?)

related CVE: CVE-2010-4207, CVE-2012-5881

Problem Description: The ExtJS JavaScript framework that is shipped with TYPO3 also delivers a flash file to show charts. This file is susceptible to Cross-Site Scripting. This vulnerability can be exploited without any authentication.

Solution: Update to TYPO3 versions 4.5.34, 4.7.19, 6.0.14, 6.1.9 or 6.2.3 that fix the problem described or delete the file typo3/contrib/extjs/resources/charts.swf as it is not used by TYPO3 at all.

Credits: Credits go to Ronald Klomp who discovered and reported the issue.

Vulnerable subcomponent: Authentication

Vulnerability Type: Improper Session Invalidation

Affected Versions: Versions 6.2.0 to 6.2.2

Severity: Low

Suggested CVSS v2.0: AV:L/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C (What's that?)

CVE: CVE-2014-3944

Problem Description: Failing to properly invalidate user sessions that have timed out, it is possible to successfully transmit one authenticated request before the session finally is discarded.

Solution: Update to TYPO3 version 6.2.3 that fix the problem described.

Credits: Credits go to Markus Klein who discovered and reported the issue.

Vulnerability Type: Authentication Bypass

Affected Versions: All TYPO3 versions not configured to use salted passwords

Severity: medium

Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C (What's that?)

CVE: CVE-2014-3945

Problem Description: When the use of salted password is disabled (which is enabled by default since TYPO3 4.6 and required since TYPO3 6.2) passwords for backend access are stored as md5 hash in the database. This hash (e.g. taken from a successful SQL injection) can be used directly to authenticate backend users without knowing or reverse engineering the password.

Solution: Update to TYPO3 version 6.2 or higher or configure TYPO3 to make use of salted passwords by installing and configuring the saltepasswords system component.

Note: In TYPO3 version 6.2 it is still possible to disable password salt hashing for frontend users. It should be apparent that such setup is insecure and not recommended.

Vulnerable subcomponent: Extbase Framework

Vulnerability Type: Information Disclosure

Affected Versions: Versions 6.2.0 to 6.2.2

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:O/RC:C (What's that?)

CVE: CVE-2014-3946

Problem Description: Failing to respect user groups of logged in users when caching queries, Extbase is susceptible to information disclosure. The query caching (introduced in Extbase 6.2) used to cache queries that query results for a specific user group were presented to a different group.

Solution: Update to TYPO3 version 6.2.3 that fix the problem described.

Credits: Credits go to Jan Kiesewetter who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.