TYPO3-CORE-SA-2018-004: Insecure Deserialization in TYPO3 CMS

Categories: Security Created by Oliver Hader
It has been discovered, that TYPO3 CMS is vulnerable to Insecure Deserialization.
  • Component Type: TYPO3 CMS
  • Vulnerable subcomponent: Form Framework (ext:form)
  • Release Date: July 12, 2018
  • Vulnerability Type: Insecure Deserialization
  • Affected Versions: 8.0.0 to 8.7.16 and 9.0.0 to 9.3.0
  • Severity: None - High (depending on existence of PHP PECL package “yaml”)
  • Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:H/RL:OF/RC:C/CDP:ND/TD:L/CR:ND/IR:ND/AR:ND
  • CVE: not assigned yet

Problem Description

It has been discovered that the Form Framework (system extension "form") is vulnerable to Insecure Deserialization when being used with the additional PHP PECL package “yaml”, which is capable of unserializing YAML contents to PHP objects. A valid backend user account as well as having PHP setting "yaml.decode_php" enabled is needed to exploit this vulnerability (which is the default value according to PHP documentation).

Solution

Update to TYPO3 versions 8.7.17 or 9.3.1 that fix the problem described. In general it is suggested to disable "yaml.decode_php" setting in case the PHP PECL package "yaml" is installed.

Credits

Thanks to TYPO3 core team member Oliver Hader  who reported this issue and to TYPO3 core team member Ralf Zimmermann who fixed the issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security related code changes are tagged so that you can easily look them up in our review system.