TYPO3-CORE-SA-2018-003: Privilege Escalation & SQL Injection in TYPO3 CMS

Categories: Security Created by Oliver Hader
It has been discovered, that TYPO3 CMS is vulnerable to Privilege Escalation and SQL Injection.
  • Component Type: TYPO3 CMS
  • Vulnerable subcomponent: Form Framework (ext:form)
  • Release Date: July 12, 2018
  • Vulnerability Type: Privilege Escalation & SQL Injection
  • Affected Versions: 8.5.0 to 8.7.16 and 9.0.0 to 9.3.0
  • Severity: High
  • Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:H/RL:OF/RC:C
  • CVE: not assigned yet

Problem Description

Failing to properly dissociate system related configuration from user generated configuration, the Form Framework (system extension "form") is vulnerable to SQL injection and Privilege Escalation. Basically instructions can be persisted to a form definition file that were not configured to be modified - this applies to definitions managed using the form editor module as well as direct file upload using the regular file list module. A valid backend user account as well as having system extension form activated are needed in order to exploit this vulnerability.

Solution

Update to TYPO3 versions 8.7.17 or 9.3.1 that fix the problem described. In order to distinguish form definitions files from regular YAML files, the new file suffix “.form.yaml” has been introduced. According form definition files have to be renamed to use the new file suffix (e.g. “Contact.yaml” has to become “Contact.form.yaml”) - this applies to files provided by TYPO3 extensions as well. A new upgrade wizard renames affected resources in storages managed by the file abstraction layer (FAL) and updates references in content elements as well.

Suggested migration path

  • ensure reference index is up-to-date (see documentation)
  • update to mentioned TYPO3 versions in order to fix the problem described
  • rename form definition files in extensions manually to use the “.form.yaml” suffix (files just having the “.yaml” suffix still can be referenced and rendered in the website frontend)
  • execute “Rename form definition file extension from .yaml to .form.yaml” upgrade wizard in the TYPO3 install tool

Credits

Thanks to TYPO3 core team member Oliver Hader  who reported this issue and to TYPO3 core team members Susanne Moog & Ralf Zimmermann who fixed the issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security related code changes are tagged so that you can easily look them up in our review system.