Security update for Typo3
The development team behind the content management system Typo3 are advising users to update to versions 4.0.9, 4.1.7 or 4.2.1, which fix two vulnerabilities. According to a security bulletin, if Typo3 is running on an Apache web server, attackers can upload and execute their own PHP code on the server. The fault lies with precisely the function which is intended to prevent this from happening – Typo3 checks uploaded file types and does not allow PHP scripts to be uploaded.
It's possible to bypass this protection if the mod_mime
module is activated on the Apache server and the file has multiple file extensions, of which .php
is not the last. A similar attack is also possible using crafted .htaccess
files. The developers class the problem as critical.
A successful attack requires the attacker to be authenticated in either the Typo3 back end or the front end. As an alternative to installing the update, the security bulletin also describes a workaround involving changing Typo3's configuration. The development team have also fixed a cross-site scripting vulnerability in the rfe_adminlib.inc
file, which is used in extensions including direct_mail_subscription
, feuser_admin
and kb_md5fepw
. Systems not running these extensions are not vulnerable.
See also:
- TYPO3 Security Bulletin TYPO3-20080611-1: Multiple vulnerabilities in TYPO3 Core, security advisory from Typo3
(trk)