TYPO3-EXT-SA-2016-021: Denial of Service in extension "Speaking URLs for TYPO3" (realurl)

September 08, 2016

Category: TYPO3 Extension
Author: Helmut Hummel
Keywords: TYPO3, security, typo3-ext-sa-2016-021, extension, realurl, Denial of Service

It has been discovered that the extension "Speaking URLs for TYPO3" (realurl) is susceptible to Denial of Service.

Release Date: September 8, 2016

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 2.0.0 to 2.0.14

Vulnerability Type: Denial of Service

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:O/RC:C (What's that?)

Problem Description: The extension allows an attacker to forge URLs with arbitrary cHash values by regenerating the cHash GET argument. This results in the possibility to create an arbitrary amount of page cache entries. Exceeding database storage limits will eventually lead to the TYPO3 page not responding any more.

Solution: An updated version 2.0.15 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/realurl/2.0.15/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Thanks to Robert Vock and Timo Pfeffer who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.