TYPO3-SA-2010-014: TYPO3 Security Bulletin

It has been discovered that the extension phpMyAdmin (phpmyadmin) is vulnerable to Broken Access Control.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: Version 4.1.0 till 4.8.0 (including)

Vulnerability Type: Broken Access Control

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:C/A:N/E:F/RL:OF/RC:C (What's that?)

Release Date: 29.07.2010

Problem Description: The extension, intented to be accessible only for TYPO3 administrators, fails to enforce authorization. An attacker with standard TYPO3 backend editor rights can bypass access control with a crafted request and so will have access to the database administration interface.

Solution: An updated version 4.8.1 is available from the TYPO3 extension manager and at typo3.org/extensions/repository/view/phpmyadmin/4.8.1/. Users of the extension are advised to update the extension as soon as possible.

Note: The TYPO3 Security Team is aware that details of this vulnerability have been disclosed to a small group of people on July 28, 2010. So far, we have no reports of incidents that have successfully exploited this vulnerability.

The TYPO3 Security Team requests TYPO3 administrators to consider our advice from TYPO3-SA-2009-015 to either use extension phpMyAdmin only on development servers or to use the phpMyAdmin standalone application on production servers.

General advice: Follow the recommendations that are given in the TYPO3 SECURITY Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Credits: Credits go to Dirk Josefiak, who discovered the issue and TYPO3 Security Team member Helmut Hummel for providing a patch.