Because we're damned if we do, and we're damned if we don't!
Original Release Date: January 20, 2009 — 4pm (GMT)
Vendor: TYPO3 (Core)
Product: TYPO3 CMS (System extension Install tool)
TYPO3 versions :
- 4.0.0 – 4.0.9
- 4.1.0 – 4.1.7
- 4.2.0 – 4.2.3
Vulnerability Type: Insecure Randomness
Overall Severity: High
TYPO3-wide used encryption key is created with an insufficiently random seed which results in a low entropy.
Technical overview and problem overview (including code snippets) –> TYPO3-Insecure Randomness
Through this vulnerability it is possible to perform an offline brute-force against the TYPO3 encryption key. Possible exposures include Cross-Site Scripting attacks (examined in detail in the technical overview), as well as possible data exposure. Use of this encryption key within TYPO3 extensions was not tested, but may also cause additional exposure or attack vectors.
Update to the TYPO3 versions 4.0.10, 4.1.8 or 4.2.4 that fix the problem described.
You will need to create a new encryption key! Therefore first clear the configuration cache, upgrade to the new TYPO3 version, open the install tool and choose menu 1 (“Basic Configuration”). Scroll to the bottom of the page and click on the button “Generate random key”. Submit the form by clicking on “Update localconf.php”.
Afterwards, clear the configuration and page cache again!
Credits go to Chris John Riley (Raiffeisen Informatik, CERT Security Competence Center Zwettl, Austria) who discovered and reported the issue.
- TYPO3 Advisory (TYPO3-SA-2009-001)
- Typo3 Encryption Key tool