Component Type: TYPO3 CMS

Release Date: May 24, 2016

Vulnerable subcomponent: Extbase

Vulnerability Type: Missing access check

Affected Versions: Versions 4.3.0 up to 8.1.0

Severity: Critical

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:O/RC:C

CVE: not assigned yet

Problem Description: Extbase request handling fails to implement a proper access check for requested controller/ action combinations, which makes it possible for an attacker to execute arbitrary Extbase actions by crafting a special request. To successfully exploit this vulnerability, an attacker must have access to at least one Extbase plugin or module action in a TYPO3 installation. The missing access check inevitably leads to information disclosure or remote code execution, depending on the action that an attacker is able to execute.

Solution: Update to TYPO3 versions 6.2.24, 7.6.8 or 8.1.1 that fix the problem described.

Alternative Solution: Apply the patches suitable for your TYPO3 branch manually.

Alternative Solution: Download the zip archive which contains a folder with a script and patches for all affected TYPO3 versions. (Please note: If you were quick and applied the zip file before the regression was fixed, you need to download this undo zip archive, which contains a script to revert the patches. After running the script, you have to use the script from above to secure your TYPO3 CMS instances.)

Notes: TYPO3 installations with at least one publicly available Extbase action, are exploitable without any further authentication.

TYPO3 installations without publicly available Extbase actions, are still exploitable for authenticated backend users with access to a backend module, which is based on Extbase.

Important Note: The fix introduced changes in the internal request handling of Extbase. In case an such unlikely incompatibility with any extension (that relies on internal API) occurs, the TYPO3 installation still remains fully available and functional, with only little minor issues in Extbase form validation handling.

Users of any TYPO3 version from 4.3.0 to 8.1.0 are strongly encouraged to upgrade or to at least apply the patches provided below.

Please note, that patching a not supported TYPO3 version can be considered only as temporary mitigation. Upgrade to a supported versions should be performed as soon as possible.

Credits: Thanks to Stefan Horlacher from Arcus Security GmbH who discovered and reported the issue, Alex Kellner, who also reported the issue and Oliver Hader for discovering a related vulnerability.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

[UPDATE] Add clarification regarding TYPO3 4.5

The TYPO3 security team has identified a critical security issue in the TYPO3 CMS Core.

All TYPO3 versions from 4.x to 8.1 are affected by this vulnerability. This means also TYPO3 version 4.5 (including 4.5 ELTS) is affected by this vulnerability.

Besides regular releases for supported branches (TYPO3 6.2.x, TYPO3 7.6.x, TYPO3 8.x), we will also provide patches for affected but unmaintained TYPO3 versions, because of the severity of this vulnerability.

Be prepared to update all your TYPO3 installations next Tuesday!

Please understand that we cannot provide any further information until the advisory has been published.

CVSS v2.0 data on the to be released advisory:

For image manipulation TYPO3 CMS makes use of either one of the third party tools GraphicsMagick or ImageMagick.

Recently it has been discovered, that ImageMagick exposes multiple vulnerabilities, Remote Code Execution (RCE) being one of them. It is known, that these vulnerabilities have already been exploited in the wild.

An attacker needs the possibility to upload malicious image files (which are then processed) to exploit the vulnerabilities.

Further details are found on the vulnerability disclosure website. 

TYPO3 CMS users who have configured ImageMagick for image manipulation, are strongly encouraged to apply one of the following mitigation strategies:

• Change TYPO3 CMS configuration to use GraphicsMagick for image manipulation
  Install Tool -> Configuration Presets -> Image handling settings -> Graphicks Magick
• Use a policy file to disable the vulnerable ImageMagick coders as described at the vulnerability disclosure website

Component Type: TYPO3 CMS

Release Date: April 12, 2016

Vulnerable subcomponent: Version

Vulnerability Type: Privilege Escalation

Affected Versions: Versions 6.2.0 to 6.2.19, 7.6.0 to 7.6.4 and 8.0.0

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:P/RL:O/RC:C

CVE: not assigned yet

Problem Description: The workspace/ version preview link created by a privileged (backend) user could be abused to obtain certain editing permission, if the admin panel is configured to be shown. A valid preview link is required to exploit this vulnerability.

Solution: Update to TYPO3 versions 6.2.20, 7.6.5 or 8.0.1 that fix the problem described.

Credits: Thanks to Helmut Hummel who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: April 12, 2016

Vulnerable subcomponent: Authentication

Vulnerability Type: Authentication Bypass

Affected Versions: Versions 6.2.0 to 6.2.19, 7.6.0 to 7.6.4 and 8.0.0

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:P/RL:O/RC:C

CVE: not assigned yet

Problem Description: The default authentication service misses to invalidate empty strings as password. Therefore it is possible to authenticate backend and frontend users without password set in the database.

Solution: Update to TYPO3 versions 6.2.20, 7.6.5 or 8.0.1 that fix the problem described.

Note: TYPO3 does not allow to create user accounts without a password. Your TYPO3 installation might only be affected if there is a third party component creating user accounts without password by directly manipulating the database.

Credits: Thanks to Kevin Ditscheid who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: April 12, 2016

Vulnerable subcomponent: Form

Vulnerability Type: Arbitrary File Disclosure

Affected Versions: Versions 6.2.0 to 6.2.19

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:N/A:N/E:P/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to properly validate user input, the form component is susceptible to Arbitrary File Disclosure. A valid backend user account is needed to exploit this vulnerability. Only forms are vulnerable, which contain upload fields.

Solution: Update to TYPO3 versions 6.2.20 that fix the problem described.

Credits: Thanks to Gerrit Venema who discovered and reported the issues.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Component Type: TYPO3 CMS

Release Date: April 12, 2016

Vulnerable subcomponent: Backend

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 6.2.0 to 6.2.19, 7.6.0 to 7.6.4 and 8.0.0

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:P/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to properly encode user input, some backend components are vulnerable to Cross-Site Scripting. A valid backend user account is needed to exploit this vulnerability.

Solution: Update to TYPO3 versions 6.2.20, 7.6.5 or 8.0.1 that fix the problem described.

Credits: Thanks to Georg Ringer, Nicole Cordes and Alexander Grein who discovered and reported the issues.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Release Date: March 24, 2016

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 1.4.4 and below

Vulnerability Type: Insecure Authentication and Session Handling

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C (What’s that?)

Problem Description: Failing to properly invalidate the authentication code after usage or time-based, the extension is vulnerable to Insecure Authentication and Session Handling.

Solution: An updated version 1.4.5 is available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/ods_ajaxmailsubscription/1.4.5/t3x/. Users of the extension are advised to update the extension as soon as possible.

Note: The new version needs to add some database changes. Old auth codes become invalid once the update was installed!

Credits: Credits go to Sabine Deeken who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Release Date: March 10, 2016

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 2.5.3 and below

Vulnerability Type: SQL Injection

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:C/A:N/E:F/RL:O/RC:C (What’s that?)

Problem Description: Failing to properly sanitize user-supplied input, the extension is vulnerable to SQL Injection. A valid backend login with permission to access the plugin settings is required to exploit this vulnerability.

Solution: An updated version 2.5.4 is available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/chgallery/2.5.4/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Wouter van Dongen who discovered and reported the issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Release Date: March 10, 2016

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: 5.1.4 and below

Vulnerability Type: Unsafe Comparison of XSRF/CSRF token, Full Path Disclosure, Cross-Site Scripting, Insecure Password Generation

Severity: High

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:C/I:C/A:P/E:ND/RL:O/RC:C (What’s that?)

References: PMASA-2016-2, PMASA-2016-5 (XSRF/CSRF), PMASA-2015-6, PMASA-2016-1, PMASA-2016-6 (FPD), PMASA-2016-3, PMASA-2016-7 (XSS) and PMASA-2016-4 (IPG)

Related CVE: CVE-2016-2039, CVE-2016-2041 (XSRF/CSRF), CVE-2015-8669, CVE-2016-2038, CVE-2016-2042 (FPD), CVE-2016-2040, CVE-2016-2043 (XSS) and CVE-2016-1927 (IPG)

Problem Description: Due to missing and wrong user input validation phpMyAdmin is susceptible to multiple vulnerabilities.

Solution: An updated version 5.1.5 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/phpmyadmin/5.1.5/t3x/. Users of the extension are advised to update the extension as soon as possible.

Note: In general the TYPO3 Security Team recommends to not use any extension that bundles database or file management tools on production TYPO3 websites.

Credits: Thanks to Andreas Beutel for providing a TYPO3 extension package with an updated phpMyAdmin version.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.