Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

TYPO3-SA-2009-016 – Install Tool


Original Release Date: October 22, 2009

Vendor: TYPO3 (Core)

Product: TYPO3 CMS – Install Tool

Affected Versions

TYPO3 versions :

  • 4.1.12 and below
  • 4.2.9 and below
  • 4.3beta1 and below

Vulnerability Type: Cross-Site Scripting

Overall Severity: Medium

Problem Description

Failing to sanitize URL parameters, the Install Tool is susceptible to Cross-site scripting attacks.


TYPO3 installations with exposed Install Tool interfaces* are exposed to possible Cross-Site Scripting style attacks.

* The Install Tool is not meant to be activated in production environments, which is already clearly stated in several places in the TYPO3 backend and the Install Tool itself. Please respect these warnings and use the new feature in TYPO3 versions 4.2.8 and above to enable the Install Tool for maintenance only and disable it immediately afterwards.

Vendor Response

Update to the TYPO3 versions 4.1.13, 4.2.10 or 4.3beta2 that fix the problem described.


Credits go to Chirs John Riley and Susanne Moog who discovered and reported the issue.


%d bloggers like this: