Cатсн²² (in)sесuяitу / ChrisJohnRiley

TYPO3-SA-2009-001

Original Release Date: January 20, 2009 — 4pm (GMT)

Vendor: TYPO3 (Core)

Product: TYPO3 CMS (System extension Install tool)

Affected Versions

TYPO3 versions :

• 4.0.0 – 4.0.9
• 4.1.0 – 4.1.7
• 4.2.0 – 4.2.3

Vulnerability Type: Insecure Randomness

Overall Severity: High

Problem Description

TYPO3-wide used encryption key is created with an insufficiently random seed which results in a low entropy.

Technical overview and problem overview (including code snippets) –> TYPO3-Insecure Randomness

Impact

Through this vulnerability it is possible to perform an offline brute-force against the TYPO3 encryption key. Possible exposures include Cross-Site Scripting attacks (examined in detail in the technical overview), as well as possible data exposure. Use of this encryption key within TYPO3 extensions was not tested, but may also cause additional exposure or attack vectors.

Vendor Response

Update to the TYPO3 versions 4.0.10, 4.1.8 or 4.2.4 that fix the problem described.

You will need to create a new encryption key! Therefore first clear the configuration cache, upgrade to the new TYPO3 version, open the install tool and choose menu 1 (“Basic Configuration”). Scroll to the bottom of the page and click on the button “Generate random key”. Submit the form by clicking on “Update localconf.php”.

Afterwards, clear the configuration and page cache again!

Credit(s)

Credits go to Chris John Riley (Raiffeisen Informatik, CERT Security Competence Center Zwettl, Austria) who discovered and reported the issue.

References

• TYPO3 Advisory (TYPO3-SA-2009-001)
  <http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/>
• Typo3 Encryption Key tool
  <http://www.c22.cc/2009/01/24/typo3-screencast/>
• OSVDB-51536
  <http://osvdb.org/show/osvdb/51536>
• CVE-2009-0255
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-0255>