- Component Type: TYPO3 CMS
- Subcomponent: Install Tool (ext:install)
- Release Date: November 17, 2020
- Affected Versions: 9.0.0-9.5.22, 10.0.0-10.4.9
Problem Description
When the system maintainer concept was introduced with TYPO3 v9.0.0 the necessity of having to enter a password when accessing the Install Tool via backend user interface was removed.
However, the Install Tool allows one to define various configurations as well as arguments and paths for low-level binary applications to take care of further processing.
Per definition, all of these actions and features qualify as “remote code execution”. There is no problem when those are used by valid system maintainers - however, it also could be used as a valid attack vector in case user sessions have been hijacked by other vulnerabilities in any software component on the same server - such as cross-site scripting or SQL injection.
Solution
The ideal solution would be to omit the presence of the Install Tool component on a website in production - which is however not feasible for all environments. Thus, protecting the entry point is currently the best way to mitigate unintentional access to the Install Tool via the backend user interface.
Users now have to enter either their user password or the “Install Tool password” to get corresponding access. This mechanism is known as Sudo Mode.
It is suggested to update to TYPO3 versions 9.5.23 or 10.4.10 that mitigate the problem described by introducing Sudo Mode for accessing the Install Tool via the backend user interface.
Maintainers of extensions that provide remote, single sign-on, or multi-factor authentication are advised to check technical details and potential implications for their extensions.
This change is enforcing the suggestions of TYPO3-CORE-SA-2020-006.
Credits
Thanks to Sinan Sekerci (Dreamlab Technologies) who brought this topic again to our attention and to TYPO3 security team member Oliver Hader who introduced Sudo Mode to mitigate the issue.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.