TYPO3-EXT-SA-2016-021: Denial of Service in extension "Speaking URLs for TYPO3" (realurl)
September 08, 2016
It has been discovered that the extension "Speaking URLs for TYPO3" (realurl) is susceptible to Denial of Service.
Release Date: September 8, 2016
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: version 2.0.0 to 2.0.14
Vulnerability Type: Denial of Service
Problem Description: The extension allows an attacker to forge URLs with arbitrary cHash values by regenerating the cHash GET argument. This results in the possibility to create an arbitrary amount of page cache entries. Exceeding database storage limits will eventually lead to the TYPO3 page not responding any more.
Solution: An updated version 2.0.15 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/realurl/2.0.15/t3x/. Users of the extension are advised to update the extension as soon as possible.
Credits: Thanks to Robert Vock and Timo Pfeffer who discovered and reported the issue.