Typo3 allows injection of system commands
The developers of the open source content management system Typo3 have warned of a critical security vulnerability which could allow an attacker to inject arbitrary commands onto the system. The cause of the problem is the failure to filter user parameters passed to the rtehtmlarea extension, included as standard on Typo3 versions 4.0 and later. The extension can also optionally be installed on systems prior to version 4.0.
The module uses the aspell system tool, which is called via a system call, to check syntax. Crafted parameters could be used by an attacker to inject and execute commands on the server. According to SEC Consult, who discovered the vulnerability, no authentification is necessary. For the attack to work, the safe_mode PHP security option must be deactivated. A security bulletin on the Typo3 website provides further information. The current version 4.0, Typo3 4.1 beta 1 and older versions 3.7.x and 3.8.x are affected. Patches for all versions are available from the Typo3 server.
The Typo3 team have not indicated that the problem has been identified or exploited by attackers. Because of the critical nature of the bug, they advise users to install the updates as soon as possible.
- Remote Command Execution in Typo3, security advisory from SEC Consult
- Remote Command Execution in TYPO3, security bulletin from Typo3