In association with heise online

11 April 2010, 08:52

Typo3 allows remote command execution via PHP

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The developers of the Typo3 CMS framework have raised the alarm in an email to, and security firm Secunia rates the problem "highly critical". In versions 4.3.0, 4.3.1 and 4.3.2 of Typo3 (as well as previous versions of the 4.4 development branch), attackers can inject PHP code from an external server and execute it within the Typo3 context.

Advisory SA-2010-008 contains details about how to fix the problem. Upgrading to version 4.3.3 is one way of improving the situation. The vulnerability is also impossible to exploit if at least one of three PHP switches is set to "off":

  • register_globals
  • allow_url_include
  • allow_url_fopen

The chances are that one of them is already switched off by default, and switching off all three is a good idea. However, this may cause compatibility problems and, as a web hosting customer, you may also only have very limited access to your PHP settings.

Administrators of Typo3 systems are advised to check immediately whether their systems are affected and implement the required measures. For checking the status of the PHP variables, simply create a file called test.php containing


and access it in your browser. The file should subsequently be deleted, as it may disclose a lot of information to potential attackers.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit