TYPO3-PSA-2021-001: Sensitive links in search results of TYPO3 extension indexed_search

Categories: Development, TYPO3 CMS Created by Torben Hansen
It has been discovered that the TYPO3 extension “Indexed Search” may index sensitive links under certain conditions.
  • Component Type: TYPO3 CMS
  • Subcomponent: Indexed Search (ext:indexed_search)
  • Release Date: July 20, 2021
  • Impact: Information Disclosure
  • Type: Advisory

Problem Description

On TYPO3 websites where the “Indexed Search” extension is used, sensitive links may get indexed. The problem occurs when a TYPO3 page contains a plugin that handles possible sensitive actions via HTTP GET parameters  (e.g. confirmation action for a newsletter subscription, or similar token-based actions used for verification). This may lead to unwanted behavior, since “Indexed Search” may add the URL to the search index and website users would be able to find the link in the search result.

The impact of the problem depends on the functionality of the affected actions. For non-repeatable calls (e.g. where the URL is only valid once), there may be no impact if no sensitive user data is shown by the affected plugin. For repeatable actions (e.g. link to editing form of users’ newsletter subscription), the problem may lead to information disclosure or data modification.

The problem will only occur when the URL is fully cacheable (contains a valid cHash for all parameters).

Solution

Indexed search currently has no mechanism allowing extensions to intercept the indexing process - page contents are indexed before uncached extension plugins are processed.

The recommended way to avoid sensitive links getting indexed is to exclude the whole page from the page index.

If excluding the page from the index is not suitable (e.g. because it also contains content that must be indexed), we recommend to use a custom PSR-15 Middleware (TYPO3 9.5 and upwards) or a TSFE hook to conditionally set the “no_search” property at runtime based on routing parameters. Note, that it is important to set the “no_search” property before the indexed search pageIndexing hook is called in TSFE.

Credits

Thanks to Karsten Nowak who brought this topic to our attention.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.