Component Type: TYPO3 CMS

Release Date: July 1, 2015

Vulnerable subcomponent: Frontend Logon

Vulnerability Type: Session Fixation

Affected Versions: Versions 6.2.0 to 6.2.13, 7.0.0 to 7.3.0

Severity: Low

Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C

CVE: not assigned yet

Problem Description: It has been discovered that TYPO3 is susceptible to session fixation. If a user authenticates while anonymous session data is present, the session id is not changed. This makes it possible for attackers to generate a valid session id, trick users into using this session id (e.g. by leveraging a different Cross-Site Scripting vulnerability) and then maybe getting access to an authenticated session.

Solution: Update to TYPO3 versions 6.2.14 or 7.3.1 that fix the problem described.

Credits: Thanks to Helmut Hummel who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: July 1, 2015

Vulnerable subcomponent: Backend

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 6.2.0 to 6.2.13, 7.0.0 to 7.3.0

Severity: Low

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C

CVE: not assigned yet

Problem Description: Failing to properly HTML encode input from editors (page titles in links and file names), TYPO3 is vulnerable to Cross-Site Scripting.

Solution: Update to TYPO3 versions 6.2.14 or 7.3.1 that fix the problem described.

Credits: Thanks to Marc Bastian Heinrichs who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: July 1, 2015

Vulnerable subcomponent: Backend

Vulnerability Type: Brute Force Protection Bypass

Affected Versions: Versions 6.2.0 to 6.2.13, 7.0.0 to 7.3.0

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C

CVE: not assigned yet

Problem Description: The backend login has a basic brute force protection implementation which pauses for 5 seconds if wrong credentials are given. This pause however could be bypassed by forging a special request, making brute force attacks on backend editor credentials more feasible.

Solution: Update to TYPO3 versions 6.2.14 or 7.3.1 that fix the problem described.

Important Note: These versions move the code to wait for 5 seconds to a place which is not possible to bypass. The consequence is, that frontend logon now also has this protection. Additionally a hook was implemented, making it possible to implement other brute force protection strategies or to remove the 5 second delay, which is the default behavior if no hook is present.

Example Hook registration:

$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postLoginFailureProcessing'][] = 'My\Package\HookClass->hookMethod'

Credits: Thanks to Franz G. Jahn who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: July 1, 2015

Vulnerable subcomponent: Backend

Vulnerability Type: Broken Access Control

Affected Versions: Versions 6.2.0 to 6.2.13, 7.0.0 to 7.3.0

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C

CVE: not assigned yet

Problem Description: It has been discovered, that editors with access to file meta data table could change, create or delete metadata of files which are not within their file mounts.

Solution: Update to TYPO3 versions 6.2.14 or 7.3.1 that fix the problem described.

Credits: Thanks to Marc Bastian Heinrichs who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: July 1, 2015

Vulnerable subcomponent: Backend

Vulnerability Type: Information Disclosure

Affected Versions: Versions 6.2.0 to 6.2.13, 7.0.0 to 7.3.0

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:OF/RC:C

CVE: not assigned yet

Problem Description: It has been discovered, that editors with access to the file list module could list all files and folders in the root directory of a TYPO3 installation. Modification of files or listing further nested directories was not possible.

Solution: Update to TYPO3 versions 6.2.14 or 7.3.1 that fix the problem described.

Credits: Thanks to Helmut Hummel who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 2.1.0 and below

Vulnerability Type: Cross-Site Scripting

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C (What’s that?)

CVE: not assigned yet

Problem Description: The extension fails to properly encode user input for output in HTML context.

Solution: An updated version 2.1.1 is available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/pagenotfoundhandling/2.1.1/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Bas van Beek who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 0.5.0 and below

Vulnerability Type: SQL Injection

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:C/I:C/A:P/E:F/RL:O/RC:C (What’s that?)

CVE: not assigned yet

Problem Description: Failing to properly sanitize user-supplied input, the extension is vulnerable to SQL Injection.

Solution: An updated version 7.0.0 is available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/sb_akronymmanager/7.0.0/t3x/. Users of the extension are advised to update the extension as soon as possible.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 1.0.0 and below

Vulnerability Type: Arbitrary Code Execution

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:O/RC:C (What’s that?)

CVE: not assigned yet

Problem Description: The extension jobfair offers the possibility to upload files. It was discovered that it was possible to upload files with specially crafted file extensions, which could be executed as PHP files on the server when using Apache as web server with mod_mime available (default). An uploaded file is stored in the extension upload folder and can be executed afterwards. Failing to check the uploaded file name against the fileDenyPattern pattern, jobfair is susceptible to arbitrary code execution.

Please also read an older bulletin and a blog article for further information about this issue in combination with Apache as web server.

Solution: An updated version 1.0.1 is available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/jobfair/1.0.1/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Torben Hansen who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions:  version 1.1.1 and below

Vulnerability Type: Cross-Site Scripting

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:P/RL:U/RC:C (What’s that?)

Problem Description: The extension fails to properly escape user input in HTML context.

Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author is no longer maintaining this extension. Please uninstall and delete the extension folder from your installation.

Credits: Credits go to Torben Hansen who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 2.11.3 and below

Vulnerability Type: SQL Injection

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:C/A:P/E:F/RL:U/RC:C (What’s that?)

CVE: not assigned yet

Problem Description: Failing to properly sanitize user-supplied input, the extension is vulnerable to SQL-Injection. Only editors with permissions to access the devlog backend module will be able to exploit this vulnerability.

Solution: An updated version 2.11.4 is available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/devlog/2.11.4/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Wouter van Dongen who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.