Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

TYPO3-SA-2009-016 – Install Tool

TYPO3-SA-2009-016

Original Release Date: October 22, 2009

Vendor: TYPO3 (Core)

Product: TYPO3 CMS – Install Tool

Affected Versions

TYPO3 versions :

  • 4.1.12 and below
  • 4.2.9 and below
  • 4.3beta1 and below

Vulnerability Type: Cross-Site Scripting

Overall Severity: Medium

Problem Description

Failing to sanitize URL parameters, the Install Tool is susceptible to Cross-site scripting attacks.

Impact

TYPO3 installations with exposed Install Tool interfaces* are exposed to possible Cross-Site Scripting style attacks.

* The Install Tool is not meant to be activated in production environments, which is already clearly stated in several places in the TYPO3 backend and the Install Tool itself. Please respect these warnings and use the new feature in TYPO3 versions 4.2.8 and above to enable the Install Tool for maintenance only and disable it immediately afterwards.

Vendor Response

Update to the TYPO3 versions 4.1.13, 4.2.10 or 4.3beta2 that fix the problem described.

Credit(s)

Credits go to Chirs John Riley and Susanne Moog who discovered and reported the issue.

References

Follow

Get every new post delivered to your Inbox.

Join 133 other followers

%d bloggers like this: