TYPO3-EXT-SA-2020-002: Remote Code Execution in extension "PHPUnit" (phpunit)

Categories: Development Created by Torben Hansen
It has been discovered that the extension "PHPUnit" (phpunit) is susceptible to Remote Code Execution.
  • Release Date: March 10, 2020
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Vulnerability Type: Remote Code Execution
  • Affected Versions: 6.5.14 and below
  • Severity: Critical
  • Suggested CVSS v3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE: not assigned yet

Problem Description

A PHP script located in “src/Util/PHP/eval-stdin.php” can be used to execute arbitrary PHP code in context of the webserver. The vulnerability is only exploitable if the vendor/ directory is publicly accessible.

Solution

An updated version 6.5.15  is available from the TYPO3 extension manager and at
https://extensions.typo3.org/extension/download/phpunit/6.5.15/zip
Users of the extension are advised to update the extension as soon as possible.

Note: In general the TYPO3 Security Team recommends to not use development dependencies on production websites.

Credits

Thanks to Sebastian Bergman for reporting the vulnerability and to Oliver Klee for providing a TYPO3 extension package with an updated PHPUnit version.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.