TYPO3-CORE-SA-2015-001: Authentication Bypass in TYPO3 CMS 4.5

Categories: TYPO3 CMS Created by Helmut Hummel
It has been discovered that TYPO3 CMS 4.5.x is vulnerable to Authentication Bypass.

Component Type: TYPO3 CMS

Vulnerability Types: Authentication Bypass

Overall Severity: High

Release Date: February 19, 2015

Vulnerable subcomponent: RSA Authentication (ext:rsaauth)

Vulnerability Type: Authentication Bypass

Affected Versions: Versions 4.3.0 to 4.3.14, 4.4.0 to 4.4.15, 4.5.0 to 4.5.39 and 4.6.0 to 4.6.18

Severity: High

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:C/I:P/A:N/E:F/RL:OF/RC:C

CVE: CVE-2015-2047

Problem Description: It has been discovered that TYPO3 CMS is vulnerable to Authentication Bypass. Frontend users can be authenticated by only knowing their username.

TYPO3 installations are affected, if all of the following applies:

  • TYPO3 Version 4.3.0 to 4.3.14, 4.4.0 to 4.4.15, 4.5.0 to 4.5.39 or 4.6.0 to 4.6.18
  • users/access restricted frontend area (frontend login)
  • system extension rsaauth is loaded
  • system extension rsaauth is configured for frontend usage like that:
       $GLOBALS['TYPO3_CONF_VARS']['FE']['loginSecurityLevel'] = 'rsa'

TYPO3 installations are not affected, if at least one of the following applies:

  • TYPO3 Version 4.7.0 or higher
  • no users/access restricted frontend area (TYPO3 Backend authentication is not affected)
  • system extension rsaauth is not loaded (default)
  • system extension rsaauth is not configured for frontend usage like that (default):
       $GLOBALS['TYPO3_CONF_VARS']['FE']['loginSecurityLevel'] = 'rsa'

Solution: Update to TYPO3 version 4.5.40 that fixes the problem described. Alternatively use the provided <media 2938>shell script</media> to patch all affected TYPO3 versions (all between 4.3 and 4.6) that are found in a specified directory or use the diff file to patch the installations manually.

Important Note: Updating or patching your installations to fix this CRITICAL vulnerability is STRONGLY ADVISED!

Credits: Thanks to Pierrick Caillon who discovered and reported the vulnerability and to Security Team Member Nicole Cordes for developing a fix and providing the shell script.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Document Updates

  • 2015-02-23 by Helmut Hummel: referenced CVE
  • 2020-10-08 by Oliver Hader: adjusted CVSS v2.0, adjusted severity from "critical" to "high"