Component Type: TYPO3 Core
Affected Versions: 4.3.0, 4.3.1 and 4.3.2 (+ development releases of 4.4 branch)
Vulnerability Types: Remote Command Execution
Overall Severity: Critical
Release Date: April 9, 2010
Vulnerable subcomponent: TYPO3 autoloader
Vulnerability Type: Remote Command Execution
Problem Description: The TYPO3 autoloader does not validate passed arguments.
You are not vulnerable if at least one of following conditions is met:
- You are using any other TYPO3 version than 4.3.0, 4.3.1 or 4.3.2 (+ development releases of 4.4 branch).
- You have at least one of following PHP configuration variables set to "off": register_globals ("off" by default, advised to be "off" in <media>TYPO3 Security Cookbook</media>), allow_url_include ("off" by default) and allow_url_fopen ("on" by default)
- You are using Suhosin and haven't put URL schemes in configuration variable "suhosin.executor.include.whitelist".
Possible Impact: A crafted request to a vulnerable TYPO3 installation will allow an attacker to load PHP code from an external server and to execute it on the TYPO3 installation.
Solution: You can choose one of the solutions below:
- Update to the TYPO3 version 4.3.3 that fix the problem described!
- Set at least one of following PHP configuration variables to "off": register_globals, allow_url_include and allow_url_fopen
- Apply the patch that is linked below!
- Replace all files that are part of the security fix by using the zip archive that is linked below!
- Set up a mod_security rule:
SecRule ARGS:error "^(https?|ftp)" "deny"
Patch: how to patch
- Patch for TYPO3 version 4.3.x (md5 sum: 19fec0afa12e91152811d9c6e9c73cf1)
Files: Extract the archive and replace server files with those that are in the archive
- Archive containing safe to use files (md5 sum: fb5e62007c20f8a03b06d1acab1f4c8e)
Note: We have been informed that this vulnerability has already been exploited.
Credits: Credits go to Christian BÃ¼lter and Bastian Heiser who discovered and reported the issue and the Security Team members Dmitry Dulepov, Marcus Krause and Helmut Hummel for providing the mod_security rule and the patch.
General Advice: Follow the recommendations that are given in the TYPO3 Security Cookbook. Please subscribe to the typo3-announce mailing list.