In den CORE-Paketen von TYPO3 sind zahlreiche schwerwiegende Sicherheitslücken gefunden wurden. Es sind die folgenden Versionen betroffen:

• 4.0.0 to 4.0.9
• 4.1.0 to 4.1.7
• 4.2.0 to 4.2.3

Im Zuge dessen sind auch gleich neue Versionen (4.0.10, 4.1.8, 4.2.4) veröffentlicht worden, da im Gegensatz zu Sicherheitslücken in Extensions in diesem Fall die TYPO3-Core betroffen ist und somit jede TYPO3-Seite angreifbar ist. Zwei der insgesamt 5 Sicherheitslücken sind als „schwerwiegend“ einzustufen und einem Update wird dringend angeraten.

Nach dem mehr-Link kann man die komplette Meldung des TYPO3-Security-Teams lesen, wo die betroffenen Pakete und deren Schwachstellen beschrieben sind und wie man diese updatet (englisch).

Component Type: TYPO3 Core

Affected Versions: TYPO3 versions 4.0.0 to 4.0.9, 4.1.0 to 4.1.7, 4.2.0 to 4.2.3

Vulnerability Types: Broken Authentication and Session Management, Cross-Site Scripting, Insecure Randomness and Remote Command Execution

Overall Severity: High

Vulnerable subcomponent #1: System extension Install tool (install)

Vulnerability Types: Insecure Randomness

Severity: High

Problem Description: TYPO3-wide used encryption key is created with an insufficiently random seed which results in a low entropy.

Solution: Update to the TYPO3 versions 4.0.10, 4.1.8 or 4.2.4 that fix the problem described.

You will need to create a new encryption key! Therefore upgrade to the new TYPO3 version, clear the configuration cache, open the install tool and choose menu 1 („Basic Configuration“). Scroll to the bottom of the page and click on the button „Generate random key“. Submit the form by clicking on „Update localconf.php“.

Afterwards, clear the configuration and page cache again!

Credits: Credits go to Chris John Riley (Raiffeisen Informatik, CERT Security Competence Center Zwettl, Austria) who discovered and reported the issue.

Vulnerable subcomponent #2: Authentication library

Vulnerability Types: Broken Authentication and Session Management

Severity: High

Problem Description: TYPO3 authenticates frontend and backend users without invalidating a supplied session identifier. Therefore, TYPO3 is open for session fixation, making an attacker able to hijack a victim’s session.

Solution: Update to the TYPO3 versions 4.0.10, 4.1.8 or 4.2.4 that fix the issue described.

Credits: Credits go to TYPO3 Security Team member Marcus Krause who discovered and reported the issue.

Vulnerable subcomponent #3: System extension Indexed Search Engine (indexed_search)

Vulnerability Types: Cross-Site Scripting, Remote Command Execution

Severity: Medium

Problem Description: Passed arguments to command-line indexer are not sanitized making this system extension susceptible to Remote Command Execution. Furthermore, the according backend module fails to sanitize user supplied input (name and content of to be indexed files) making this system extension susceptible to Cross-Site Scripting.

Solution: Update to the TYPO3 versions 4.0.10, 4.1.8 or 4.2.4 that fix the issues described.

Credits: Credits go to Mads Olesen who discovered and reported the issues.

Vulnerable subcomponent #4: System extension ADOdb (adodb)

Vulnerability Types: Cross-Site Scripting

Severity: Medium

Problem Description: Test scripts fail to sanitize user supplied input making this system extension susceptible to Cross-Site Scripting.

Solution: Update to the TYPO3 versions 4.0.10, 4.1.8 or 4.2.4 that fix the issues described.

Credits: Credits go to Mads Olesen who discovered and reported the issue.

Vulnerable subcomponent #5: Workspace module

Vulnerability Types: Cross-Site Scripting

Severity: Medium

Problem Description: The module fails to sanitize user supplied input making this module susceptible to Cross-Site Scripting.

Solution: Update to the TYPO3 versions 4.0.10, 4.1.8 or 4.2.4 that fix the issue described.

Credits: Credits go to Daniel Fabian (SEC Consult, Austria) who discovered and reported the issue.

Note on TYPO3 Lifecycle Policy:

The following TYPO3 versions are currently (as of January 2009) officially supported:

• TYPO3 4.2 (current stable; updates and security fixes)
• TYPO3 4.1 (old stable; updates and security fixes)
• TYPO3 4.0 (old old stable; security fixes only)