TYPO3-CORE-SA-2016-019: Environment Variable Injection

Categories: TYPO3 CMS Created by Helmut Hummel
It has been discovered, that PHP exposes the risk of Environment Variable Injection and TYPO3 is vulnerable through third party library guzzlehttp/guzzle

Component Type: TYPO3 CMS

Release Date: July 19, 2016

Vulnerability Type: Environment Variable Injection

Affected Versions: Versions 8.0.0 to 8.2.0

Severity: Low

related CVE: CVE-2016-5385

Problem Description: PHP, when used as CGI, FPM or HHVM, exposes http headers also as environment variables starting with "HTTP_". TYPO3 version 8.2.0 is vulnerable because it uses the third party library guzzlehttp/guzzlel, which makes use of the environment variable "HTTP_PROXY". Read https://www.symfony.fi/entry/httpoxy-vulnerability-hits-php-installations-using-fastcgi-and-php-fpm-and-hhvm or https://httpoxy.org/ for further details.

Solution: Update to TYPO3 version 8.2.1 that fixes the problem described.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.