Component Type: TYPO3 CMS
Release Date: September 13, 2016
Vulnerability Type: Cache Flooding
Affected Versions: 6.2.0 to 6.2.26, 7.6.0 to 7.6.10 and 8.0.0 to 8.3.0
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:O/RC:C
CVE: not assigned yet
Problem Description: Links with a valid cHash argument lead to newly generated page cache entries. Because the cHash is not bound to a specific page, attackers could use valid cHash arguments for multiple pages, leading to additional useless page cache entries. Depending on the number of pages in the system and the number of available valid links with a cHash, attackers could add a considerable amount of additional cache entries, which in the end exceed storage limits and thus could lead to the system not responding any more. This means the Cache Flooding attack potentially could lead to a successful Denial of Service (DoS) attack.
Solution: Update to TYPO3 versions 6.2.27, 7.6.11 or 8.3.1 AND set the following configuration value to true.
$GLOBALS['TYPO3_CONF_VARS']['FE']['cHashIncludePageId'] = true;
Important Note: Just updating to new TYPO3 versions is NOT enough to fix this vulnerability in existing installations. The configuration option needs to explicitly be set as well. Setting this option to true, will invalidate EVERY existing URLs which include a cHash. This means if such URLs are indexed by a search engine, visitors from this search engine will end up on a not properly working page. If extensions like realurl are used, it is required to flush their caches (and TYPO3 caches as well), so that the new cHash is stored, once the pages are requested.
Additionally, calling the CacheHashCalculator API will require the id argument to be set in the URL provided. This means, that switching this option on, may break existing extensions, that are using this API.
Because of this major impact on existing installations, please carefully consider when to activate this additional security option for your TYPO3 installation.
For new installations, this option is ON by default.
Credits: Thanks to Dmitry Dulepov who discovered and reported the issue.
General Note: All security related code changes are tagged so that you can easily look them up on our review system.