TYPO3-SA-2010-020: Multiple vulnerabilities in TYPO3 Core

Categories: TYPO3 CMS Created by Helmut Hummel
It has been discovered that TYPO3 Core is vulnerable to Remote File Disclosure, Cross-Site Scripting (XSS), Privilege Escalation and Denial of Service.

Component Type: TYPO3 Core

Affected Versions: 4.2.14 and below, 4.3.6 and below, 4.4.3 and below

Vulnerability Types: Remote File Disclosure, Cross-Site Scripting (XSS), Privilege Escalation, Denial of Service

Overall Severity: Critical

Release Date: October 06, 2010

Vulnerable subcomponent #1: Access tracking mechanism

Vulnerability Type: Remote File Disclosure

Severity: Critical

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:C/I:N/A:N/E:F/RL:OF/RC:C (What's that?)

Problem Description: A Remote File Disclosure vulnerability in the jumpUrl mechanism, used to track access on web pages and provided files, allows a remote attacker to read arbitrary files on a host. Because of a non-typesafe comparison between the submitted and the calculated hash, it is possible to spoof a hash value to bypass the access control.

There's no authentication required to exploit this vulnerability. The vulnerability allows to read any file, the web server user account has access to.

Solution: Update to the TYPO3 versions 4.2.15, 4.3.7 or 4.4.4 that fix the problem described.

It is possible to mitigate this vulnerability for unsupported TYPO3 branches by choosing one of the options below. We however highly recommend to upgrade your TYPO3 installation at least to the lowest supported branch.

  1. Use this shell script (md5 sum: 2af9fb67885b256e27e54d3f50620597, documentation in file) to run accross your webservers in order to replace the affected lines, or
  2. Edit the affected file class.tslib_fe.php following the instructions below.

In TYPO3 versions equal or greater than 4.0, the affected file is located in typo3/sysext/cms/tslib/class.tslib_fe.php.

In TYPO3 versions lower than 4.0, the affected file is located in tslib/class.tslib_fe.php and possibly symlinked to the aforementioned location, also in typo3/sysext/cms/tslib/class.tslib_fe.php

In the file, search for the line:
------------------------
if ($juHash == $calcJuHash) {
------------------------

and replace it with:
------------------------
if ($juHash === $calcJuHash) {
------------------------
(Replace the two equal siqns with three)

Credits: Credits go to Gregor Kopf for finding and reporting the issue and Security Team Members Helmut Hummel and Marcus Krause for providing patches.

Vulnerable subcomponent #2: Backend

Vulnerability Type: Cross-Site Scripting

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C (What's that?)

Problem Description: Failing to sanitize user input, the TYPO3 backend is susceptible to XSS attacks in several places. A valid backend login is required to exploit these vulnerabilities.

Solution: Update to the TYPO3 versions 4.2.15, 4.3.7 or 4.4.4 that fix the problem described.

Credits: Credits go to Daniel Sloof, Core Team Member Susanne Moog, Security Team member Helmut Hummel who discovered and reported the issues.

Vulnerability Type: Remote File Disclosure

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:C/I:P/A:N/E:F/RL:OF/RC:C (What's that?)

Problem Description: Failing to properly validate user input, the Extension Manager is susceptible to Remote File Disclosure. By forging a special request parameter it is possible to view (and edit under special conditions) the contents of every file the webserver has access to. A valid admin user login is required to exploit this vulnerability.

Solution: Update to the TYPO3 versions 4.2.15, 4.3.7 or 4.4.4 that fix the problem described.

Credits: Credits go to Jeremy Lebourdais who discovered and reported the issue and Security Team Member Marcus Krause for creating patches.

Vulnerability Type: Privilege Escalation

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C (What's that?)

Problem Description: Failing to properly validate user input, the sys_action task "be_user_creation" is susceptible to Privilege Escalation. By forging a POST request an editor with the rights to create users in the taskcenter, can create users which are a member of arbitrary usergroups and by that probably leverage her privileges.

Solution: Update to the TYPO3 versions 4.2.15, 4.3.7 that fix the problem described. TYPO3 versions 4.4.0 and above are not affected.

Credits: Credits go to former Security Team member Henning Pingel who discovered and reported the issue.

Vulnerable subcomponent #3: Validation/ Filtering API

Vulnerability Type: Denial of Service

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C (What's that?)

Problem Description: Because of a PHP crash in the filter_var() function when passing large strings to it, TYPO3 is susceptible to a Denial of Service attack in every place the API function t3lib_div::validEmail() is used.

Solution: Update to the TYPO3 versions 4.2.15, 4.3.7 or 4.4.4 that fix the problem described.

Credits: Credits go to Bjoern Pedersen who discovered and reported the issue and Security Team Member Marcus Krause for creating patches.

Vulnerability Type: Cross-Site Scripting

Severity: Low

Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C (What's that?)

Problem Description: The normalisation feature of the RemoveXSS function was incomplete, allowing an attacker to inject arbitrary JavaScript code.

Solution: Update to the TYPO3 versions 4.2.15, 4.3.7 or 4.4.4 that fix the problem described.

Credits: Credits go to Franz G. Jahn who discovered and reported the issue and provided an initial patch to mitigate the vulnerability.

General Advice: Follow the recommendations that are given in the TYPO3 Security Cookbook. Please subscribe to the typo3-announce mailing list.