TYPO3-CORE-SA-2013-002: Cross-Site Scripting and Remote Code Execution Vulnerability in TYPO3 Core
July 30, 2013
It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting and Remote Code Execution
Component Type: TYPO3 Core
Vulnerability Types: Cross-Site Scripting, Remote Code Execution
Overall Severity: Critical
Release Date: July 30, 2013
Vulnerable subcomponent: Third Party Libraries used for audio and video playback
Vulnerability Type: Cross-Site Scripting
Affected Versions: All versions from 4.5.0 up to the development branch of 6.2
Problem Description: TYPO3 bundles flash files for video and audio playback. Old versions of FlowPlayer and flashmedia are susceptible to Cross-Site Scripting. No authentication is required to exploit this vulnerability.
Solution: Update to the TYPO3 version 4.5.29, 4.7.14, 6.0.8 or 6.1.3 that fix the problem described!
Credits: Credits go to Markus Pieton and Vytautas Paulikas who discovered and reported the issues.
Vulnerable subcomponent: Backend File Upload / File Abstraction Layer
Vulnerability Type: Remote Code Execution by arbitrary file creation
Affected Versions: All versions from 6.0.0 up to the development branch of 6.2
Problem Description: The file upload component and the File Abstraction Layer are failing to check for denied file extensions, which allows authenticated editors (even with limited permissions) to upload php files with arbitrary code, which can then be executed in web server's context.
Solution: Update to the TYPO3 version 6.0.8 or 6.1.3 that fix the problem described!
Credits: Credits go to Sebastian Nerz who discovered and reported the issue.