TYPO3-CORE-SA-2012-001: Several Vulnerabilities in TYPO3 Core

March 28, 2012

Category: TYPO3 CMS
Author: Helmut Hummel
Keywords: TYPO3, security, TYPO3-CORE-SA-2012-001, core

It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting, Information Disclosure, Insecure Unserialize

Component Type: TYPO3 Core

Affected Versions: 4.4.0 up to 4.4.13, 4.5.0 up to 4.5.13, 4.6.0 up to 4.6.6 and development releases of the 4.7 and 6.0 branch.

Vulnerability Types: Cross-Site Scripting, Information Disclosure, Insecure Unserialize

Overall Severity: Medium

Release Date: March 28, 2012

Updated: March 30, 2012 (added CVEs)

Vulnerable subcomponent: Extbase Framework

Affected Versions: Versions 4.4.x and 4.5.x are not affected by this vulnerabilty.

Vulnerability Type: Insecure Unserialize

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C (What's that?)

CVE: CVE-2012-1605 (What's that?)

Problem Description: Due to a missing signature (HMAC) for a request argument, an attacker could unserialize arbitrary objects within TYPO3.

To our knowledge it is neither possible to inject code through this vulnerability, nor are there exploitable objects within the TYPO3 Core. However, there might be exploitable objects within third party extensions.

Solution: Update to the TYPO3 version 4.6.7 that fix the problem described!

Note: The same problem applies to FLOW3. Read the according advisory TYPO3-FLOW3-SA-2012-001 for more information.

Credits: Credits go to Security Team Member Helmut Hummel who discovered and reported the issue.

Vulnerable subcomponent: TYPO3 Backend

Vulnerability Type: Cross-Site Scripting

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C (What's that?)

CVE: CVE-2012-1606 (What's that?)

Problem Description: Failing to properly HTML-encode user input in several places, the TYPO3 backend is susceptible to Cross-Site Scripting. A valid backend user is required to exploit these vulnerabilities.

Solution: Update to the TYPO3 versions 4.4.14, 4.5.14 or 4.6.7 that fix the problem described!

Important Note: With these TYPO3 versions the description field of the filelink content element is HTML encoded by default. If you allowed editors to enter HTML code in this field, you may want to add the following line to your TypoScript template, before updating.

tt_content.uploads.20.itemRendering.20.2.htmlSpecialChars = 0

Allowing HTML in this field is discouraged for editors, same as allowing the plain HTML content element.

Credits: Credits go to Security Team Members Georg Ringer and Oliver Klee who discovered and reported the issues.

Vulnerable subcomponent: TYPO3 Command Line Interface

Vulnerability Type: Information Disclosure

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C (What's that?)

CVE: CVE-2012-1607 (What's that?)

Problem Description: Accessing a CLI Script directly with a browser may disclose the database name used for the TYPO3 installation.

Solution: Update to the TYPO3 versions 4.4.14, 4.5.14 or 4.6.7 that fix the problem described!

Credits: Credits go to Chris John Riley who discovered and reported the issue.

Vulnerable subcomponent: TYPO3 HTML Sanitizing API

Vulnerability Type: Cross-Site Scripting

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C (What's that?)

CVE: CVE-2012-1608 (What's that?)

Problem Description: By not removing non printable characters, the API method t3lib_div::RemoveXSS() fails to filter specially crafted HTML injections, thus is susceptible to Cross-Site Scripting.

Note: Developers should never rely on the blacklist of RemoveXSS() alone, but should always properly encode user input before outputting it again.

Solution: Update to the TYPO3 versions 4.4.14, 4.5.14 or 4.6.7 that fix the problem described!

Credits: Credits go to Marc Wöhlken who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.