TYPO3-SA-2009-002: Information Disclosure & XSS in TYPO3 Core

Categories: TYPO3 CMS Created by Lars Houmark
It has been discovered that TYPO3 Core is vulnerable to Information Disclosure and Cross-Site Scripting.

Component Type: TYPO3 Core

Affected Versions: TYPO3 versions 3.3.x, 3.5.x, 3.6.x, 3.7.x, 3.8.x, 4.0 to 4.0.11, 4.1.0 to 4.1.9, 4.2.0 to 4.2.5, 4.3alpha1

Vulnerability Types: Information Disclosure, Cross-Site Scripting

Overall Severity: Critical

Release Date: February 10, 2009 - 9am (GMT)

Vulnerable subcomponent #1: Access tracking mechanism

Vulnerability Type: Information Disclosure

Severity: Critical

Problem Description: An Information Disclosure vulnerability in jumpUrl mechanism, used to track access on web pages and provided files, allows a remote attacker to read arbitrary files on a host.

The expected value of a mandatory hash secret, intended to invalidate such requests, is exposed to remote users allowing them to bypass access control by providing the correct value.

There's no authentication required to exploit this vulnerability. The vulnerability allows to read any file, the web server user account has access to.

Possible Impact: This flaw is making it potentially possible for the hacker to download the contents of any file on the server, i.e. typo3conf/localconf.php, which holds both install tool password alongside database username and password.

Using rainbow tables, the hacker may be able to login to your install tool and from there take over your website.

Please refer to the section "Other recommendations" in order to understand some general methods of securing your TYPO3 installation.


You can choose one of the solutions below:

1) Update to the TYPO3 versions 4.0.12, 4.1.10 or 4.2.6, or

2) Use this shell script (md5 sum: 0cbd0aac72e624cb3dd6673a01f85320, documentation in file) to run accross your webservers in order to replace the affected lines, or

2) Apply one of the patches linked below (fitting to the version you're using), or

3) Edit the affected file class.tslib_fe.php following the instructions below.

In TYPO3 versions equal or greater than 4.0, the affected file is located in typo3/sysext/cms/tslib/class.tslib_fe.php.

In TYPO3 versions lower than 4.0, the affected file is located in tslib/class.tslib_fe.php and possibly symlinked to the aforementioned location, also in typo3/sysext/cms/tslib/class.tslib_fe.php

In the file, search for the line:
} else die('jumpurl Secure: Calculated juHash, '.$calcJuHash.', did not match the submitted juHash.');

and replace it with:
} else die('jumpurl Secure: Calculated juHash did not match the submitted juHash.');

Note: Version 3.3 and 3.5 of TYPO3 uses double-quotes, which means you have to search ".$calcJuHash." when doing manual replacing.

Patches for older TYPO3 versions:

The command to patch files is (without $):

$ patch -p1 < filename.diff

For the trunk version the patch command is:

$ patch -p0 < filename.diff

Other Recommendations:

Always make sure to disable the install tool, by removing the file "ENABLE_INSTALL_TOOL" when not using it.

Protect access to database management tools like phpMyAdmin.

Do not allow network (remote) connections to the database server from anywhere other than your web server.

If you have a suspicion that your installation have already been compromised, then change the install tool password, database password and encryptionKey, after upgrading your installation.

If you are upgrading a from a version below 4.2.4, then please make sure to re-generate the encryptionKey, using the install tool, after upgrading to 4.2.6.

Credits: Credits go to TYPO3 Security Team member Marcus Krause who discovered and reported the issue, and core team leader Michael Stucki for creating patches.

Vulnerable subcomponent #2: Backend User Interface

Vulnerability Type: Cross-Site Scripting

Severity: Low

Problem Description: Failing to sanitize user input, three fields in the backend is open to Cross-Site Scripting (XSS).

Solution: Update to the TYPO3 versions 4.0.12, 4.1.10 or 4.2.6 that fixes the issues described.

Credits: Credits go to Jelmer de Hen and Dmitry Dulepov, who discovered, reported, and fixed the issues.

General advice: Follow the recommendations that are given in the TYPO3 Security Cookbook. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.