It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting, Information Disclosure, Insecure Unserialize
Component Type: TYPO3 Core
Affected Versions: 4.4.0 up to 4.4.13, 4.5.0 up to 4.5.13, 4.6.0 up to 4.6.6 and development releases of the 4.7 and 6.0 branch.
Vulnerability Types: Cross-Site Scripting, Information Disclosure, Insecure Unserialize
Overall Severity: Medium
Release Date: March 28, 2012
Updated: March 30, 2012 (added CVEs)
Affected Versions: Versions 4.4.x and 4.5.x arenot affected by this vulnerabilty.
Vulnerability Type: Insecure Unserialize
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C (Whatβs that?)
CVE: CVE-2012-1605 (Whatβs that?)
**Problem Description:**Due to a missing signature (HMAC) for a request argument, an attacker could unserialize arbitrary objects within TYPO3.
To our knowledge it is neither possible to inject code through this vulnerability, nor are there exploitable objects within the TYPO3 Core. However, there might be exploitable objects within third party extensions.
Solution: Update to the TYPO3 version 4.6.7 that fix the problem described!
Note: The same problem applies to FLOW3. Read the according advisory TYPO3-FLOW3-SA-2012-001 for more information.
Credits: Credits go to Security Team Member Helmut Hummel who discovered and reported the issue.
Vulnerability Type: Cross-Site Scripting
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C (Whatβs that?)
CVE: CVE-2012-1606 (Whatβs that?)
**Problem Description:**Failing to properly HTML-encode user input in several places, the TYPO3 backend is susceptible to Cross-Site Scripting. A valid backend user is required to exploit these vulnerabilities.
Solution: Update to the TYPO3 versions 4.4.14, 4.5.14 or 4.6.7 that fix the problem described!
Important Note: With these TYPO3 versions the description field of the filelink content element is HTML encoded by default. If you allowed editors to enter HTML code in this field, you may want to add the following line to your TypoScript template, before updating.
tt_content.uploads.20.itemRendering.20.2.htmlSpecialChars = 0
Allowing HTML in this field is discouraged for editors, same as allowing the plain HTML content element.
Credits: Credits go to Security Team Members Georg Ringer and Oliver Klee who discovered and reported the issues.
Vulnerability Type: Information Disclosure
Severity: Low
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C (Whatβs that?)
CVE: CVE-2012-1607 (Whatβs that?)
**Problem Description:**Accessing a CLI Script directly with a browser may disclose the database name used for the TYPO3 installation.
Solution: Update to the TYPO3 versions 4.4.14, 4.5.14 or 4.6.7 that fix the problem described!
Credits: Credits go to Chris John Riley who discovered and reported the issue.
Vulnerability Type: Cross-Site Scripting
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C (Whatβs that?)
CVE: CVE-2012-1608 (Whatβs that?)
**Problem Description:**By not removing non printable characters, the API method t3lib_div::RemoveXSS() fails to filter specially crafted HTML injections, thus is susceptible to Cross-Site Scripting.
Note: Developers should never rely on the blacklist of RemoveXSS() alone, but should always properly encode user input before outputting it again.
Solution: Update to the TYPO3 versions 4.4.14, 4.5.14 or 4.6.7 that fix the problem described!
Credits: Credits go to Marc WΓΆhlken who discovered and reported the issue.
General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.