- Component Type: TYPO3 CMS
- Subcomponent: URL Routing (ext:core)
- Release Date: July 25, 2023
- Vulnerability Type: Information Disclosure
- Affected Versions: 9.4.0-9.5.41, 10.0.0-10.4.38, 11.0.0-11.5.29, 12.0.0-12.4.3
- Severity: Low
- Suggested CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C
- References: CVE-2023-38499, CWE-200
Problem Description
In multi-site scenarios, enumerating the HTTP query parameters id and L allowed out-of-scope access to rendered content in the website frontend. For instance, this allowed visitors to access content of an internal site by adding handcrafted query parameters to the URL of a site that was publicly available.
Solution
Update to TYPO3 versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, 12.4.4 that fix the problem described above.
Strong security defaults - Manual actions required
Resolving sites by the id and L HTTP query parameters is now denied per default. However, it is still allowed to resolve a particular page by e.g. example.org - as long as the page-id 123 is in the scope of the site configured for the base-url example.org.
The new feature flag security.frontend.allowInsecureSiteResolutionByQueryParameters - which is disabled per default - can be used to reactivate the previous behavior.
Credits
Thanks to Garvin Hicking who reported this issue, and to TYPO3 core & security team members Oliver Hader and Benjamin Franzke who fixed the issue.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
General Note
All security related code changes are tagged so that you can easily look them up in our review system.