TYPO3-CORE-SA-2018-012: Denial of Service in Frontend Record Registration

Categories: Development Created by Oliver Hader
It has been discovered, that TYPO3 CMS is vulnerable to denial of service.
  • Component Type: TYPO3 CMS
  • Vulnerable subcomponent: Frontend Session Handling
  • Release Date: December 11, 2018
  • Vulnerability Type: Denial of Service
  • Affected Versions: 7.0.0-7.6.31 and 8.0.0-8.7.20
  • Severity: Medium
  • Suggested CVSS v3.0: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:F/RL:O/RC:C
  • CVE: not assigned yet

Problem Description

TYPO3’s built-in record registration functionality (aka “basic shopping cart”) using recs URL parameters is vulnerable to denial of service. Failing to properly ensure that anonymous user sessions are valid, attackers can use this vulnerability in order to create  an arbitrary amount of individual session-data records in the database.

Solution

Update to TYPO3 versions 7.6.32 or 8.7.21 that fix the problem described. The frontend record registration feature has been deprecated in TYPO3 v8.6.0 and finally was removed in TYPO3 v9.0.0 - thus TYPO3 v9 is not affected.

Strong security defaults - Manual actions required

The frontend record registration feature has been disabled in order to apply strong security defaults. Installations that actually are using this functionality have to enable the feature and its vulnerability again.
This can be done by enabling $GLOBALS['TYPO3_CONF_VARS']['FE']['enableRecordRegistration'] either using Install Tool or according deployment techniques.

Credits

Thanks to Mads Lønne Jensen who reported this issue and to TYPO3 core team member Benni Mack who fixed the issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security related code changes are tagged so that you can easily look them up in our review system.