Typo3 allows remote command execution via PHP
The developers of the Typo3 CMS framework have raised the alarm in an email to typo3-announce@lists.typo3.org, and security firm Secunia rates the problem "highly critical". In versions 4.3.0, 4.3.1 and 4.3.2 of Typo3 (as well as previous versions of the 4.4 development branch), attackers can inject PHP code from an external server and execute it within the Typo3 context.
Advisory SA-2010-008 contains details about how to fix the problem. Upgrading to version 4.3.3 is one way of improving the situation. The vulnerability is also impossible to exploit if at least one of three PHP switches is set to "off":
- register_globals
- allow_url_include
- allow_url_fopen
The chances are that one of them is already switched off by default, and switching off all three is a good idea. However, this may cause compatibility problems and, as a web hosting customer, you may also only have very limited access to your PHP settings.
Administrators of Typo3 systems are advised to check immediately whether their systems are affected and implement the required measures. For checking the status of the PHP variables, simply create a file called test.php containing
<?
phpinfo();
?>
and access it in your browser. The file should subsequently be deleted, as it may disclose a lot of information to potential attackers.
See also:
- Server Peace: Individual security measures for PHP applications, background feature from The H
(djwm)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
