TYPO3-SA-2010-012: Multiple vulnerabilities in TYPO3 Core Categories: TYPO3 CMS Affected Versions: 4.1.13 and below, 4.2.12 and below, 4.3.3 and below, 4.4 Vulnerability Types: Cross-Site Scripting (XSS), Open Redirection, SQL Injection, Broken Authentication and Session Management, Insecure Randomness, Information Disclosure, Arbitrary Code Execution Overall Severity: High Release Date: July 28, 2010 Vulnerable subcomponent #1: Backend Vulnerability Type: Cross-Site Scripting Severity: Medium Problem Description: Failing to sanitize user input the TYPO3 backend is susceptible to XSS attacks in several places. A valid backend login is required to exploit these vulnerabilities. Solution: Update to the TYPO3 versions 4.1.14, 4.2.13, 4.3.4 or 4.4.1 Vulnerability Type: Open Redirection Severity: High Problem Description: Failing to sanitize user input the TYPO3 backend is susceptible to open redirection in several places. Solution: Update to the TYPO3 versions 4.1.14, 4.2.13, 4.3.4 or 4.4.1 Vulnerability Type: SQL Injection Severity: High Problem Description: Failing to properly escape user input for a database query, some backend record editing forms are susceptible to SQL injections. Solution: Update to the TYPO3 versions 4.1.14, 4.2.13, 4.3.4 or 4.4.1 Vulnerable subcomponent #2: User authentication Vulnerability Type: Insecure Randomness Severity: Very Low Problem Description: As a precaution to PHP's weak randomness in the uniqid() function, the random byte generation function t3lib_div::generateRandomBytes() has been vastly improved, especially for Windows systems. Solution: Update to the TYPO3 versions 4.1.14, 4.2.13, 4.3.4 or 4.4.1 Vulnerable subcomponent #3: Frontend Vulnerability Type: Spam Abuse Severity: High Problem Description: Failing to check the for valid parameters, the native form content element is susceptible to spam abuse. Solution: Update to the TYPO3 versions 4.1.14, 4.2.13, 4.3.4 or 4.4.1 Vulnerable subcomponent #4: Frontend Login Vulnerability Type: Open Redirection, Cross-Site Scripting Severity: High Problem Description: Failing to sanitize user input the frontend login box is susceptible to Open Redirection and Cross-Site scripting. Solution: Update to the TYPO3 versions 4.2.13, 4.3.4 or 4.4.1 Vulnerable subcomponent #5: Install Tool Vulnerability Type: Broken Authentication and Session Management Severity: Low Problem Description: TYPO3 authenticates install tool users without invalidating a supplied session identifier. Solution: Update to the TYPO3 versions 4.1.14, 4.2.13, 4.3.4 or 4.4.1 Vulnerable subcomponent #6: FLUID Templating Engine Vulnerability Type: Cross-Site Scripting Severity: Low Problem Description: Failing to escape the output, using the textarea view helper in an extbase extension leads to a XSS vulnerability. Solution: Update to the TYPO3 versions 4.3.4 or 4.4.1 Vulnerable subcomponent #7: Mailing API Vulnerability Type: Information Disclosure Severity: Very Low Problem Description: The TYPO3 HTML mailing API class t3lib_htmlmail includes the exact version number of the TYPO3 installation in the mail header. Solution: Update to the TYPO3 versions 4.2.13, 4.3.4 or 4.4.1 Vulnerable subcomponent #8: Introduction Package Vulnerability Type: Cross-Site Scripting Severity: Medium Problem Description: Failing to properly escape the output, the frontend search box is susceptible to XSS. Solution: Update to version 4.4.1 of the introduction package ``` General Advice: Follow the recommendations that are given in the TYPO3 Security Cookbook. Credits: Various security team members and core team members discovered and reported the issues.