TYPO3-CORE-SA-2023-003: Information Disclosure due to Out-of-scope Site Resolution

Categories: Development, TYPO3 CMS Created by Oliver Hader
It has been discovered that TYPO3 CMS is susceptible to information disclosure.

Problem Description

In multi-site scenarios, enumerating the HTTP query parameters id and L allowed out-of-scope access to rendered content in the website frontend. For instance, this allowed visitors to access content of an internal site by adding handcrafted query parameters to the URL of a site that was publicly available.

Solution

Update to TYPO3 versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, 12.4.4 that fix the problem described above.

Strong security defaults - Manual actions required

Resolving sites by the id and L HTTP query parameters is now denied per default. However, it is still allowed to resolve a particular page by e.g. example.org - as long as the page-id 123 is in the scope of the site configured for the base-url example.org.

The new feature flag security.frontend.allowInsecureSiteResolutionByQueryParameters - which is disabled per default - can be used to reactivate the previous behavior.

Credits

Thanks to Garvin Hicking who reported this issue, and to TYPO3 core & security team members Oliver Hader and Benjamin Franzke who fixed the issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security related code changes are tagged so that you can easily look them up in our review system.