Hole in TYPO3: When equal isn't identical

Another flaw in the jumpURL function of the open source TYPO3 content management system (CMS) allows intruders to download arbitrary files – in the worst case, attackers will be able to obtain the localconf.php file, which contains the (hashed) password for the install tool as well as a user name and password for the database. Early last year, a similar flaw was exploited to hack the website of German Federal Minister of Finance, Wolfgang Schäuble.

However, this time the situation doesn't appear quite as critical. The developers say that the hash value required for retrieving files can be spoofed to bypass TYPO3 access control. The problem exists because the comparison of the transmitted hash value with the hash value computed by the server is not type-secure. In vulnerable installations, TYPO3 will only verify that the hashes are equal ($a == $b) instead of checking whether they are identical ($a === $b). Due to the implicit type conversion, comparing values such as '' == 0 will return true. The report doesn't give any details about how exactly this can be exploited to bypass access control.

Versions 4.2.14, 4.3.6 and 4.4.3 are all said to be affected; updating to 4.2.15, 4.3.7 and 4.4.4 fixes the flaw. The updates also corrects a number of other problems, including cross-site scripting (XSS) and Denial of Service (DoS) vulnerabilities. Administrators are advised to install the updates as soon as possible.

(crve)