In association with heise online

12 June 2008, 10:59

Security update for Typo3

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The development team behind the content management system Typo3 are advising users to update to versions 4.0.9, 4.1.7 or 4.2.1, which fix two vulnerabilities. According to a security bulletin, if Typo3 is running on an Apache web server, attackers can upload and execute their own PHP code on the server. The fault lies with precisely the function which is intended to prevent this from happening – Typo3 checks uploaded file types and does not allow PHP scripts to be uploaded.

It's possible to bypass this protection if the mod_mime module is activated on the Apache server and the file has multiple file extensions, of which .php is not the last. A similar attack is also possible using crafted .htaccess files. The developers class the problem as critical.

A successful attack requires the attacker to be authenticated in either the Typo3 back end or the front end. As an alternative to installing the update, the security bulletin also describes a workaround involving changing Typo3's configuration. The development team have also fixed a cross-site scripting vulnerability in the file, which is used in extensions including direct_mail_subscription, feuser_admin and kb_md5fepw. Systems not running these extensions are not vulnerable.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit