TYPO3-CORE-SA-2014-002: Multiple Vulnerabilities in TYPO3 CMS

October 22, 2014

Category: TYPO3 CMS
Author: Marcus Krause
Keywords: TYPO3 CMS, TYPO3-CORE-SA-2014-002, Denial of Service, Arbitray Shell Execution

It has been discovered that TYPO3 CMS is vulnerable to Denial of Service and Arbitrary Shell Execution!

Component Type: TYPO3 CMS

Vulnerability Types: Denial of Service, Arbitrary Shell Execution

Overall Severity: Medium

Release Date: October 22, 2014

 

Vulnerable subcomponent: OpenID System Extension

Vulnerability Type: Denial of Service

Affected Versions: Versions 4.5.0 to 4.5.36, 4.7.0 to 4.7.19, 6.1.0 to 6.1.11 and 6.2.0 to 6.2.5

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:OF/RC:C

Related CVE: CVE-2013-4701

Problem Description: The OpenID library that is shipped with TYPO3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via XRDS data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. Affected are all TYPO3 installation with system extension openid installed and enabled.

Solution: Update to TYPO3 versions 4.5.37, 4.7.20, 6.1.12 or 6.2.6 that fix the problem described.

Solution: Alternatively disabling openid system extension also fixes the vulnerability in case an update is currently not possible. However it is unlikely but possible that other third party extensions use the OpenID library exposing this TYPO3 installation to this vulnerability again. Therefore updating is strongly recommended.

Solution: TYPO3 branches 4.6 and 6.0 are also affected by this vulnerability but have reached end of maintenance. We hereby provide patches for the these branches: 62357_4-6.diff, 62357_6-0.diff

Solution:Since the fix has also been committed to our git source code repository also in the 4.6 and 6.0 branches, updating your installation to the latest state of the according branch also fixes the vulnerability.

Credits: The vendor credits Kousuke Ebihara.

 

Vulnerable subcomponent: Swiftmailer library

Vulnerability Type: Arbitrary Shell Execution

Affected Versions: Versions 4.5.0 to 4.5.36, 4.7.0 to 4.7.19, 6.1.0 to 6.1.11 and 6.2.0 to 6.2.5

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:ND/RL:OF/RC:C

Related announcement: Swiftmailer release 5.2.1

Problem Description: The swiftmailer library in use allows to execute arbitrary shell commands if the "From" header comes from a non-trusted source and no "Return-Path" is configured. Affected are only TYPO3 installation the configuration option

$GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport'] 

is set to "sendmail". Installations with the default configuration are not affected.

Solution: Update to TYPO3 versions 4.5.37, 4.7.20, 6.1.12 or 6.2.6 that fix the problem described.

Solution:TYPO3 branches 4.6 and 6.0 are also affected by this vulnerability but have reached end of maintenance. We hereby provide patches for the these branches: 59573_4-6.diff, 59573_6-0.diff

Solution: Since the fix has also been committed to our git source code repository also in the 4.6 and 6.0 branches, updating your installation to the latest state of the according branch also fixes the vulnerability.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.