It has been discovered that the extension "Speaking URLs for TYPO3" (realurl) is susceptible to Denial of Service.
Release Date: September 8, 2016
Third party extension. This extension is not a part of the TYPO3 default installation.
version 2.0.0 to 2.0.14
Denial of Service
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:O/RC:C
The extension allows an attacker to forge URLs with arbitrary cHash values by regenerating the cHash GET argument. This results in the possibility to create an arbitrary amount of page cache entries. Exceeding database storage limits will eventually lead to the TYPO3 page not responding any more.
An updated version 2.0.15 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/realurl/2.0.15/t3x/
. Users of the extension are advised to update the extension as soon as possible.
Thanks to Robert Vock and Timo Pfeffer who discovered and reported the issue.
Follow the recommendations that are given in the TYPO3 Security Guide
. Please subscribe to the typo3-announce mailing list
to receive future Security Bulletins via E-mail.