TYPO3-EXT-SA-2020-019: Sensitive Data Exposure in extension "View frontend statistics" (view_statistics)

Categories: Development, Security Created by Torben Hansen
It has been discovered that the extension "View frontend statistics" (view_statistics) is susceptible to Sensitive Data Exposure.
  • Release Date: November 17, 2020
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Component: View frontend statistics (view_statistics)
  • Vulnerability Type: Sensitive Data Exposure
  • Affected Versions: 2.0.0 and below
  • Severity: High
  • Suggested CVSS v3.1: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:F/RL:O/RC:C
  • References: CVE-2020-28917

Problem Description

The extension saves all GET and POST data of TYPO3 frontend requests to the database.  Depending on the extensions used on a TYPO3 website, sensitive data (e.g. plain text passwords if ext:felogin is installed) may be saved.

Solution

An updated version 2.0.1 is available from the TYPO3 extension manager and at
https://extensions.typo3.org/extension/download/view_statistics/2.0.1/zip/.
Users of the extension are advised to update the extension as soon as possible.

Important: Updating the extension does not fully resolve the problem, since sensitive data may already have been saved to the database. Users of the extension are advised to delete the field “request_params” in the table “tx_viewstatistics_domain_model_track” either by using the TYPO3 Install Tool (Analyze Database Structure) or manually.

Credits

Thanks to Thomas Deuling for reporting the issue and providing an updated version of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.