Security update for Typo3
The development team behind the content management system Typo3 are advising users to update to versions 4.0.9, 4.1.7 or 4.2.1, which fix two vulnerabilities. According to a security bulletin, if Typo3 is running on an Apache web server, attackers can upload and execute their own PHP code on the server. The fault lies with precisely the function which is intended to prevent this from happening – Typo3 checks uploaded file types and does not allow PHP scripts to be uploaded.
It's possible to bypass this protection if the
mod_mime module is activated on the Apache server and the file has multiple file extensions, of which
.php is not the last. A similar attack is also possible using crafted
.htaccess files. The developers class the problem as critical.
A successful attack requires the attacker to be authenticated in either the Typo3 back end or the front end. As an alternative to installing the update, the security bulletin also describes a workaround involving changing Typo3's configuration. The development team have also fixed a cross-site scripting vulnerability in the
rfe_adminlib.inc file, which is used in extensions including
kb_md5fepw. Systems not running these extensions are not vulnerable.
- TYPO3 Security Bulletin TYPO3-20080611-1: Multiple vulnerabilities in TYPO3 Core, security advisory from Typo3