Typo3 update closes numerous critical holes
The Typo3 developers have made versions 4.1.13, 4.2.10 and 4.3 beta 2 available to download, closing a total of nine security holes and vulnerabilities. The problems include cross-site scripting (XSS) vulnerabilities, SQL injection holes and the possibility to bypass protective mechanisms and to spy on data.
The (technically) most critical flaw is contained in the system's processing of uploaded files. The flaw reportedly allows editors to submit and run arbitrary system shell commands via specially crafted file names. However, the editor must be logged into the system to exploit the hole – and the same applies for the SQL injection holes. Furthermore, the shell attack will only be successful if the files are uploaded via third party extensions or FTP. When uploaded via the integrated standard module, on the other hand, file names are normalised correctly.
While version 4.0.13 is also affected, this branch is no longer supported. The support of version 4.1 will be discontinued after the release of the stable version 4.3, which is scheduled for the end of November 2009.