### TYPO3-SA-2010-012: Multiple vulnerabilities in TYPO3 Core **Categories:** TYPO3 CMS **Affected Versions:** 4.1.13 and below, 4.2.12 and below, 4.3.3 and below, 4.4 **Vulnerability Types:** Cross-Site Scripting (XSS), Open Redirection, SQL Injection, Broken Authentication and Session Management, Insecure Randomness, Information Disclosure, Arbitrary Code Execution **Overall Severity:** High **Release Date:** July 28, 2010 #### Vulnerable subcomponent #1: Backend ##### Vulnerability Type: Cross-Site Scripting - Severity: Medium - Problem Description: Failing to sanitize user input, the TYPO3 backend is susceptible to XSS attacks in several places. A valid backend login is required to exploit these vulnerabilities. - Solution: Update to TYPO3 versions 4.1.14, 4.2.13, 4.3.4, or 4.4.1 ##### Vulnerability Type: Open Redirection - Severity: High - Problem Description: Failing to sanitize user input, the TYPO3 backend is susceptible to open redirection in several places. - Solution: Update to TYPO3 versions 4.1.14, 4.2.13, 4.3.4, or 4.4.1 ##### Vulnerability Type: SQL Injection - Severity: High - Problem Description: Failing to properly escape user input for a database query, some backend record editing forms are susceptible to SQL injections. - Solution: Update to TYPO3 versions 4.1.14, 4.2.13, 4.3.4, or 4.4.1 #### Vulnerable subcomponent #2: User authentication ##### Vulnerability Type: Insecure Randomness - Severity: Very Low - Problem Description: As a precaution against PHP's weak randomness in the uniqid() function, the random byte generation function t3lib_div::generateRandomBytes() has been significantly improved, especially for Windows systems. - Solution: Update to TYPO3 versions 4.1.14, 4.2.13, 4.3.4, or 4.4.1 #### Vulnerable subcomponent #3: Frontend ##### Vulnerability Type: Spam Abuse - Severity: High - Problem Description: Failing to validate parameters, the native form content element is susceptible to spam abuse. - Solution: Update to TYPO3 versions 4.1.14, 4.2.13, 4.3.4, or 4.4.1 #### Vulnerable subcomponent #4: Frontend Login ##### Vulnerability Type: Open Redirection, Cross-Site Scripting - Severity: High - Problem Description: Failing to sanitize user input, the frontend login box is susceptible to Open Redirection and Cross-Site Scripting. - Solution: Update to TYPO3 versions 4.2.13, 4.3.4, or 4.4.1 #### Vulnerable subcomponent #5: Install Tool ##### Vulnerability Type: Broken Authentication and Session Management - Severity: Low - Problem Description: TYPO3 authenticates Install Tool users without invalidating a supplied session identifier. - Solution: Update to TYPO3 versions 4.1.14, 4.2.13, 4.3.4, or 4.4.1 #### Vulnerable subcomponent #6: FLUID Templating Engine ##### Vulnerability Type: Cross-Site Scripting - Severity: Low - Problem Description: Failing to escape output, using the textarea view helper in an Extbase extension leads to an XSS vulnerability. - Solution: Update to TYPO3 versions 4.3.4 or 4.4.1 #### Vulnerable subcomponent #7: Mailing API ##### Vulnerability Type: Information Disclosure - Severity: Very Low - Problem Description: The TYPO3 HTML mailing API class t3lib_htmlmail includes the exact version number of the TYPO3 installation in the email header. - Solution: Update to TYPO3 versions 4.2.13, 4.3.4, or 4.4.1 #### Vulnerable subcomponent #8: Introduction Package ##### Vulnerability Type: Cross-Site Scripting - Severity: Medium - Problem Description: Failing to properly escape output, the frontend search box is susceptible to XSS. - Solution: Update to version 4.4.1 of the Introduction Package ### General Advice: - Follow the recommendations provided in the TYPO3 Security Cookbook. ### Credits: - Various security team members and core team members discovered and reported the issues.