TYPO3-SA-2009-016: Multiple vulnerabilities in TYPO3 Core

Categories: TYPO3 CMS Created by Helmut Hummel
It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting, SQL-Injection, Remote Command Execution, Information Disclosure and insecure Install Tool authentication/session handling.

Component Type: TYPO3 Core

Affected Versions: TYPO3 versions 4.0.13 and below, 4.1.12 and below, 4.2.9 and below, 4.3.0beta1 and below

Vulnerability Types: SQL injection, Cross-site scripting (XSS), Information disclosure, Frame hijacking, Remote shell command execution and Insecure Install Tool authentication/session handling.

Overall Severity: High

Release Date: Oktober 22, 2009

Vulnerable subcomponent #1: Backend

Vulnerability Type: Information disclosure

Severity: High

Problem Description: By entering malcious content into a tt_content form element, a backend user could recalculate the encryption key. This knowledge could be used to attack TYPO3 mechanisms that were protected by this key. A valid backend login is required to exploit this vulnerability.

Solution: Update to the TYPO3 versions 4.1.13, 4.2.10 or 4.3beta2 that fix the problem described.

Credits: Credits go to Stefan Schuler who discovered and reported the issue.

Vulnerability Type: Cross-site scripting

Severity: Medium

Problem Description: Failing to sanitize user input the TYPO3 backend is susceptible to XSS attacs in several places. A valid backend login is required to exploit these vulnerabilities.

Solution: Update to the TYPO3 versions 4.1.13, 4.2.10 or 4.3beta2 that fix the problem described.

Credits: Credits go to Stefan Esser, Marcus Krause and Jelmer de Hen, who discovered and reported the issues.

Vulnerability Type: Frame hijacking

Severity: Medium

Problem Description: By manipulating URL parameters it is possible to include arbitrary websites in the TYPO3 backend framesets. A valid backend login is required to exploit this vulnerability.

Solution: Update to the TYPO3 versions 4.1.13, 4.2.10 or 4.3beta2 that fix the problem described.

Credits: Credits go to Jelmer de Hen who discovered and reported the issue.

Vulnerability Type: Remote shell command execution.

Severity: Medium/High

Problem Description: By uploading files with malicious filenames an editor could execute arbitrary shell commands on the server the TYPO3 installation is located. A valid backend login is required to exploit this vulnerability. 

Note: This problem does not exist in a standard TYPO3 installation, if editors are only allowed to upload files to fileadmin with the fillist module, because the filenames are sanitized directly after upload. However if you use third party extensions like DAM or your editors are allowed to upload files e.g. by ftp (the latter is highly discouraged) your system is affected by this vulnerability.

Solution: Update to the TYPO3 versions 4.1.13, 4.2.10 or 4.3beta2 that fix the problem described.

Credits: Credits go to Marcus Krause and Christian Welzel who discovered and reported the issue.

Vulnerable subcomponent #2: Frontend Editing

Vulnerability Type: SQL injection

Severity: High

Problem Description: Failing to sanitize URL parameters, TYPO3 is susceptible to SQL injection in the frontend editing feature (the traditional one, not feeditadvanced that will be shipped with TYPO3 4.3). A valid backend login and activated frontend editing is required to exploit this vulnerability.

Solution: Update to the TYPO3 versions 4.1.13, 4.2.10 or 4.3beta2 that fix the problem described.

Credits: Credits go to Christian Weiske who discovered and reported the issue.

Vulnerable subcomponent #3: API function t3lib_div::quoteJSvalue

Vulnerability Type: Cross-site scripting

Severity: Medium/High

Problem Description: The sanitizing algorithm of the API function t3lib_div::quoteJSvalue wasn't sufficient, so that an an attacker could inject specially crafted HTML or JavaScript code. Since this function can be used in backend modules as well as in frontend extensions, this vulnerability could also be exploited without the need of having a vaild backend login.

Solution: Update to the TYPO3 versions 4.1.13, 4.2.10 or 4.3beta2 that fix the problem described.

Credits: Credits go to Andreas Schnapp and Sebastian Spooren who discovered and reported the issue. 

Vulnerable subcomponent #4: Frontend Login Box (felogin)

Vulnerability Type: Cross-site scripting

Severity: Medium

Problem Description: Failing to sanitize URL parameters the Frontend Login Box box is susceptible to XSS.

Solution: This problem only exists in TYPO3 versions 4.2.0 - 4.2.6 and was already fixed for version 4.2.7 while fixing a non security related issue.

Credits: Credits go to Chirs John Riley who discovered and reported the issue and to Stefan Lang who discovered and reported the related issue.

Vulnerable subcomponent #5: Install Tool 

Vulnerability Type: Insecure Authentication and Session Handling

Severity: High

Problem Description: It is possible to gain access to the Install Tool by only knowing the md5 hash of the Install Tool password.

Solution: Update to the TYPO3 versions 4.1.13, 4.2.10 or 4.3beta2 that fix the problem described.

Credits: Credits go to Bernhard Kraft who discovered and reported the issue.

Vulnerability Type: Cross-site scripting

Severity: Medium

Problem Description: Failing to sanitize URL parameters, the Install Tool is susceptible to Cross-site scripting attacks.

Solution: Update to the TYPO3 versions 4.1.13, 4.2.10 or 4.3beta2 that fix the problem described.

Credits: Credits go to Chirs John Riley and Susanne Moog who discovered and reported the issue.


General Advice: The Install Tool is not meant to be activated in production environments, which is already clearly stated in several places in the TYPO3 backend and the Install Tool itself. Please respect these warnings and use the new feature in TYPO3 versions 4.2.8 and above to enable the Install Tool for maintenance only and disable it immediately afterwards.

  

Note on TYPO3 Lifecycle Policy:

The following TYPO3 versions are currently (as of Oktober 2009) officially supported:

  • TYPO3 4.3 (upcoming new stable version)
  • TYPO3 4.2 (current stable; updates and security fixes)
  • TYPO3 4.1 (old stable; security fixes only)

Important: The support period of TYPO3 4.1 expires after the release of the new TYPO3 version 4.3 (planned for November 28th, 2009).

Note: After long years of support with updates and security fixes, the very old TYPO3 version 4.0 will no longer be supported officially. Users of this version are adviced to update their installations at least to version 4.1 or even better to version 4.2. However if this is no option for you in a short timeframe, feel free to contact the security team directly. We will then try to find an individual solution for you.

General Advice: Follow the recommendations that are given in the TYPO3 SECURITY Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.