TYPO3-CORE-SA-2013-004: Multiple Vulnerabilities in TYPO3 CMS

December 10, 2013

Category: TYPO3 CMS
Author: Helmut Hummel
Keywords: Cross-Site Scripting, XSS, Information Disclosure, Mass Assignment, Open Redirection, Unsafe Unserialize

It has been discovered that TYPO3 CMS is vulnerable to Cross-Site Scripting, Information Disclosure, Mass Assignment, Open Redirection and Insecure Unserialize.

Component Type: TYPO3 CMS

Vulnerability Types: Cross-Site Scripting, Information Disclosure, Mass Assignment, Open Redirection and Insecure Unserialize

Overall Severity: Medium

Release Date: December 10, 2013

Vulnerable subcomponent: Content Editing Wizards

Vulnerability Type: Information Disclosure

Affected Versions: Versions 4.5.0 to 4.5.31, 4.7.0 to 4.7.16, 6.0.0 to 6.0.11, 6.1.0 to 6.1.6 and the development branch of 6.2

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:N/A:N/E:F/RL:O/RC:C (What's that?)

CVE: CVE-2013-7073

Problem Description: Failing to check for user permissions, it is possible for authenticated editors to read (but not update or change) content from arbitrary TYPO3 table columns by forging URL parameters.

Solution: Update to the TYPO3 version 4.5.32, 4.7.17, 6.0.12 or 6.1.7 that fix the problem described.

Credits: Credits go to Security Team member Georg Ringer who discovered and reported the issue.

 

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 4.5.0 to 4.5.31, 4.7.0 to 4.7.16, 6.0.0 to 6.0.11, 6.1.0 to 6.1.6 and the development branch of 6.2

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C (What's that?)

CVE: CVE-2013-7074

Problem Description: Failing to properly encode user input, several content wizards are susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML or JavaScript by crafting URL parameters.

Solution: Update to the TYPO3 version 4.5.32, 4.7.17, 6.0.12 or 6.1.7 that fix the problem described.

Credits: Credits go to Richard Brain and Security Team member Georg Ringer who discovered and reported the issues.

 

Vulnerability Type: Insecure Unserialize

Affected Versions: Versions from 4.5.0 to 4.5.31, 4.7.0 to 4.7.16, 6.0.0 to 6.0.11, 6.1.0 to 6.1.6 and the development branch of 6.2

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:N/I:P/A:P/E:F/RL:O/RC:C (What's that?)

CVE: CVE-2013-7075

Problem Description: Due to a missing signature for an input parameter an attacker could unserialize arbitrary objects within TYPO3. We are aware of a working exploit which can be used to delete arbitrary files which are writable for the PHP server process. A valid backend user login or a successful Cross-Site Request Forgery attack are required to exploit this vulnerability.

Solution: Update to the TYPO3 version 4.5.32, 4.7.17, 6.0.12 or 6.1.7 that fix the problem described.

Credits: Credits go to Rupert Germann who discovered and reported the issue.

 

Vulnerable subcomponent: Extension Manager

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 4.5.0 to 4.5.31 and 4.7.0 to 4.7.16

Severity: Low

Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C (What's that?)

CVE: CVE-2013-7076

Problem Description: Failing to properly encode user input, the extension manager is susceptible to Cross-Site Scripting. To exploit this vulnerability, attackers could trick authenticated administrators to follow a forged URL which executes injected JavaScript on behalf of the administrator.

Solution: Update to the TYPO3 version 4.5.32 or 4.7.17 that fix the problem described.

Credits: Credits go to Steffen Müller who discovered and reported the issue.

 

Vulnerable subcomponent: Backend User Administration

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 6.0.0 to 6.0.11, 6.1.0 to 6.1.6 and the development branch of 6.2

Severity: Low

Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C (What's that?)

CVE: CVE-2013-7077

Problem Description: Failing to properly encode user input, the Backend User Administration Module is susceptible to Cross-Site Scripting. To exploit this vulnerability, attackers could trick authenticated administrators to follow a forged URL which executes injected JavaScript on behalf of the administrator.

Solution: Update to the TYPO3 version 6.0.12 or 6.1.7 that fix the problem described.

Credits: Credits go to Sebastian Nerz and Security Team member Georg Ringer who discovered and reported the issues.

 

Vulnerable subcomponent: Extbase

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions from 4.5.0 to 4.5.31, 4.7.0 to 4.7.16, 6.0.0 to 6.0.11, 6.1.0 to 6.1.6 and the development branch of 6.2

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:H/RL:O/RC:C (What's that?)

CVE: CVE-2013-7078

Problem Description: The errorAction method in the ActionController base class of Extbase returns error messages without properly encoding them. Because these error messages can contain user input, this could lead to a Cross-Site Scripting vulnerability in Extbase Framework driven TYPO3 extensions. For this vulnerability to exploited the following conditions must be fulfilled:

  • An Extbase extension must be installed and be available as plugin or module.
  • The plugin or module must have the Rewritten Property Mapper enabled.
  • The errorAction has not been overridden in the controller subclass in a way that removes error messages from the return values.

Although we are not aware of any possibility to exploit this issue with the old property mapper or the Extbase version that has been delivered with TYPO3 4.5.x, we removed potentially offending output from these versions as well.

Hint: If you have customized the errorAction in your Extbase extension which have controller classes that override the error action,we advice you to check that the error messages returned in these actions only contain static strings and are not derived from any kind of user input. If you are not sure whether your code is fine in that regard, feel free to ask on a public mailing list or the forum.

Important: We have received reports that this issue has been actively exploited in the wild.

Solution: Update to the TYPO3 version 4.5.32, 4.7.17, 6.0.12 or 6.1.7 that fix the problem described.

Note: The same problem applies to the TYPO3 Flow Framework.The according advisory is: TYPO3-FLOW-SA-2013-001

Credits: Credits go to André Koch who discovered and reported the issue.

 

Vulnerable subcomponent: OpenID Extension

Vulnerability Type: Open Redirection

Affected Versions: Versions from 4.5.0 to 4.5.31, 4.7.0 to 4.7.16, 6.0.0 to 6.0.11, 6.1.0 to 6.1.6 and the development branch of 6.2

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:O/RC:C (What's that?)

CVE: CVE-2013-7079

Problem Description: Failing to validate user-provided input, the openid extension allows redirects to arbitrary URLs. For this vulnerability to exist, the openid extension must be installed.

Solution: Update to the TYPO3 version 4.5.32, 4.7.17, 6.0.12 or 6.1.7 that fix the problem described.

Credits: Credits go to Security Team member Georg Ringer who discovered and reported the issue.

 

Vulnerable subcomponent: Extension table administration library

Vulnerability Type: Mass Assignment

Affected Versions: Versions from 4.5.0 to 4.5.31, 4.7.0 to 4.7.16 and 6.0.0 to 6.0.11

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C (What's that?)

CVE: CVE-2013-7080

Problem Description: Extensions that make use of the feuser_adminLib.inc library to create records are susceptible to Mass Assignment. This means that any links for creating records generated by this library can be manipulated to fill any field in the configured database table with arbitrary values. An attack is not limited to the fields listed in the configuration or the link itself. This library has been deprecated and removed from TYPO3 versions 6.1 and later but we still decided to fix this issue in previous versions.

Hint: Extension authors are highly encouraged not to use this deprecated library anymore.

Solution: Update to the TYPO3 version 4.5.32, 4.7.17 or 6.0.12 that fix the problem described.

Credits: Credits go to Bernhard Kraft who discovered and reported the issue.

 

Vulnerable subcomponent: (Old) Form Content Element

Vulnerability Type: Information Disclosure potentially leading to Privilege Escalation

Affected Versions: Versions from 4.5.0 to 4.5.31, 4.7.0 to 4.7.16, 6.0.0 to 6.0.11, 6.1.0 to 6.1.6 and the development branch of 6.2

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:N/A:N/E:F/RL:O/RC:C (What's that?)

CVE: CVE-2013-7081

Problem Description: Editors that have access to the (old) form content element were able to generate arbitrary signatures (HMACs) that could be used in contexts which the editor should not have access to. As a precaution we changed the generation of the signature in a way to prevent usage in a different context.

Note: The old form content element is used by TYPO3 if the delivered extension "form" is not active.

Solution: Update to the TYPO3 version 4.5.32, 4.7.17, 6.0.12 or 6.1.7 that fix the problem described.

Credits: Credits go to Security Team member Franz Jahn who discovered and reported the issue.

 

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.