- Component Type: TYPO3 CMS
- Subcomponent: Install Tool (ext:install)
- Release Date: November 17, 2020
- Affected Versions: 9.0.0-9.5.22, 10.0.0-10.4.9
When the system maintainer concept was introduced with TYPO3 v9.0.0 the necessity of having to enter a password when accessing the Install Tool via backend user interface was removed.
However, the Install Tool allows one to define various configurations as well as arguments and paths for low-level binary applications to take care of further processing.
Per definition, all of these actions and features qualify as “remote code execution”. There is no problem when those are used by valid system maintainers - however, it also could be used as a valid attack vector in case user sessions have been hijacked by other vulnerabilities in any software component on the same server - such as cross-site scripting or SQL injection.
The ideal solution would be to omit the presence of the Install Tool component on a website in production - which is however not feasible for all environments. Thus, protecting the entry point is currently the best way to mitigate unintentional access to the Install Tool via the backend user interface.
Users now have to enter either their user password or the “Install Tool password” to get corresponding access. This mechanism is known as Sudo Mode.
It is suggested to update to TYPO3 versions 9.5.23 or 10.4.10 that mitigate the problem described by introducing Sudo Mode for accessing the Install Tool via the backend user interface.
Maintainers of extensions that provide remote, single sign-on, or multi-factor authentication are advised to check technical details and potential implications for their extensions.
This change is enforcing the suggestions of TYPO3-CORE-SA-2020-006.
Thanks to Sinan Sekerci (Dreamlab Technologies) who brought this topic again to our attention and to TYPO3 security team member Oliver Hader who introduced Sudo Mode to mitigate the issue.