TYPO3-PSA-2014-001: Cross-Site Request Forgery Protection in TYPO3 CMS 6.2

TYPO3 CMS 6.2 will get CSRF Protection throughout all modules and parts that manipulate data.

Component Type: TYPO3 CMS

Vulnerability Types: Cross-Site Request Forgery (CSRF)

Overall Severity: Low

Release Date: January 31, 2014

Affected Versions: All versions below 6.2

CVE: Will be requested.

Problem Description: CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With the help of social engineering (like sending a link via email/chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing.

In TYPO3 CMS, protection against CSRF has been implemented for many important actions (like creating, editing or deleting records) but is still missing in other places (like Extension Manager, file upload, configuration module).

The upcoming 6.2 LTS version will finally close this gap and will protect editors or administrators from these kind of attacks.

Since this kind of security improvement cannot be done without potentially breaking third party extensions, this additional security feature will only be part of TYPO3 CMS 6.2 and will not be backported to older versions.

Solution: Since user action is always involved in this attack technique the risk can be mitigated greatly by not using the default web browser to log into a TYPO3 Backend and always log out once the work is finished. It is also suggested to not visit any other website in the same browser while being logged in. Update to TYPO3 CMS 6.2 is suggested (once released), but not strictly required if the mitigation strategies described above are taken into account.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.