Component Type: TYPO3 Core
Affected Versions: TYPO3 versions 4.0.0 to 4.0.9, 4.1.0 to 4.1.7, 4.2.0 to 4.2.3
Vulnerability Types: Broken Authentication and Session Management, Cross-Site Scripting, Insecure Randomness and Remote Command Execution
Overall Severity: High
Release Date: January 20, 2009 - 4pm (GMT)
Vulnerable subcomponent #1: System extension Install tool (install)
Vulnerability Types: Insecure Randomness
Severity: High
Problem Description: TYPO3-wide used encryption key is created with an insufficiently random seed which results in a low entropy.
Solution: Update to the TYPO3 versions 4.0.10, 4.1.8 or 4.2.4 that fix the problem described.
You will need to create a new encryption key! Therefore first clear the configuration cache, upgrade to the new TYPO3 version, open the install tool and choose menu 1 ("Basic Configuration"). Scroll to the bottom of the page and click on the button "Generate random key". Submit the form by clicking on "Update localconf.php".
Afterwards, clear the configuration and page cache again!
Credits: Credits go to Chris John Riley (Raiffeisen Informatik, CERT Security Competence Center Zwettl, Austria) who discovered and reported the issue.
Vulnerable subcomponent #2: Authentication library
Vulnerability Types: Broken Authentication and Session Management
Severity: High
Problem Description: TYPO3 authenticates frontend and backend users without invalidating a supplied session identifier. Therefore, TYPO3 is open for session fixation, making an attacker able to hijack a victim's session.
Solution: Update to the TYPO3 versions 4.0.10, 4.1.8 or 4.2.4 that fix the issue described.
Credits: Credits go to TYPO3 Security Team member Marcus Krause who discovered and reported the issue.
Vulnerable subcomponent #3: System extension Indexed Search Engine (indexed_search)
Vulnerability Types: Cross-Site Scripting, Remote Command Execution
Severity: Medium
Problem Description: Passed arguments to command-line indexer are not sanitized making this system extension susceptible to Remote Command Execution. Furthermore, the according backend module fails to sanitize user supplied input (name and content of to be indexed files) making this system extension susceptible to Cross-Site Scripting.
Solution: Update to the TYPO3 versions 4.0.10, 4.1.8 or 4.2.4 that fix the issues described.
Credits: Credits go to Mads Olesen who discovered and reported the issues.
Vulnerable subcomponent #4: System extension ADOdb (adodb)
Vulnerability Types: Cross-Site Scripting
Severity: Medium
Problem Description: Test scripts fail to sanitize user supplied input making this system extension susceptible to Cross-Site Scripting.
Solution: Update to the TYPO3 versions 4.0.10, 4.1.8 or 4.2.4 that fix the issues described.
Credits: Credits go to Mads Olesen who discovered and reported the issue.
Vulnerable subcomponent #5: Workspace module
Vulnerability Types: Cross-Site Scripting
Severity: Medium
Problem Description: The module fails to sanitize user supplied input making this module susceptible to Cross-Site Scripting.
Solution: Update to the TYPO3 versions 4.0.10, 4.1.8 or 4.2.4 that fix the issue described.
Credits: Credits go to Daniel Fabian (SEC Consult, Austria) who discovered and reported the issue.
Note on TYPO3 Lifecycle Policy:
The following TYPO3 versions are currently (as of January 2009) officially supported:
- TYPO3 4.2 (current stable; updates and security fixes)
- TYPO3 4.1 (old stable; updates and security fixes)
- TYPO3 4.0 (old old stable; security fixes only)
General advice: Follow the recommendations that are given in the TYPO3 Security Cookbook. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.