TYPO3-SA-2009-001: Multiple vulnerabilities in TYPO3 Core

Categories: TYPO3 CMS Created by Marcus Krause
It has been discovered that TYPO3 Core is vulnerable to Broken Authentication and Session Management, Cross-Site Scripting, Insecure Randomness and Remote Command Execution.

Component Type: TYPO3 Core

Affected Versions: TYPO3 versions 4.0.0 to 4.0.9, 4.1.0 to 4.1.7, 4.2.0 to 4.2.3

Vulnerability Types: Broken Authentication and Session Management, Cross-Site Scripting, Insecure Randomness and Remote Command Execution

Overall Severity: High

Release Date: January 20, 2009 - 4pm (GMT)

Vulnerable subcomponent #1: System extension Install tool (install)

Vulnerability Types: Insecure Randomness

Severity: High

Problem Description: TYPO3-wide used encryption key is created with an insufficiently random seed which results in a low entropy.

Solution: Update to the TYPO3 versions 4.0.10, 4.1.8 or 4.2.4 that fix the problem described.

You will need to create a new encryption key! Therefore first clear the configuration cache, upgrade to the new TYPO3 version, open the install tool and choose menu 1 ("Basic Configuration"). Scroll to the bottom of the page and click on the button "Generate random key". Submit the form by clicking on "Update localconf.php".

Afterwards, clear the configuration and page cache again!

Credits: Credits go to Chris John Riley (Raiffeisen Informatik, CERT Security Competence Center Zwettl, Austria) who discovered and reported the issue.

Vulnerable subcomponent #2: Authentication library

Vulnerability Types: Broken Authentication and Session Management

Severity: High

Problem Description: TYPO3 authenticates frontend and backend users without invalidating a supplied session identifier. Therefore, TYPO3 is open for session fixation, making an attacker able to hijack a victim's session.

Solution: Update to the TYPO3 versions 4.0.10, 4.1.8 or 4.2.4 that fix the issue described.

Credits: Credits go to TYPO3 Security Team member Marcus Krause who discovered and reported the issue.

Vulnerable subcomponent #3: System extension Indexed Search Engine (indexed_search)

Vulnerability Types: Cross-Site Scripting, Remote Command Execution

Severity: Medium

Problem Description: Passed arguments to command-line indexer are not sanitized making this system extension susceptible to Remote Command Execution. Furthermore, the according backend module fails to sanitize user supplied input (name and content of to be indexed files) making this system extension susceptible to Cross-Site Scripting.

Solution: Update to the TYPO3 versions 4.0.10, 4.1.8 or 4.2.4 that fix the issues described.

Credits: Credits go to Mads Olesen who discovered and reported the issues.

Vulnerable subcomponent #4: System extension ADOdb (adodb)

Vulnerability Types: Cross-Site Scripting

Severity: Medium

Problem Description: Test scripts fail to sanitize user supplied input making this system extension susceptible to Cross-Site Scripting.

Solution: Update to the TYPO3 versions 4.0.10, 4.1.8 or 4.2.4 that fix the issues described.

Credits: Credits go to Mads Olesen who discovered and reported the issue.

Vulnerable subcomponent #5: Workspace module

Vulnerability Types: Cross-Site Scripting

Severity: Medium

Problem Description: The module fails to sanitize user supplied input making this module susceptible to Cross-Site Scripting.

Solution: Update to the TYPO3 versions 4.0.10, 4.1.8 or 4.2.4 that fix the issue described.

Credits: Credits go to Daniel Fabian (SEC Consult, Austria) who discovered and reported the issue.

Note on TYPO3 Lifecycle Policy:

The following TYPO3 versions are currently (as of January 2009) officially supported:

  • TYPO3 4.2 (current stable; updates and security fixes)
  • TYPO3 4.1 (old stable; updates and security fixes)
  • TYPO3 4.0 (old old stable; security fixes only)

General advice: Follow the recommendations that are given in the TYPO3 Security Cookbook. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.