Critical security vulnerability in TYPO3 4.x core
As announced the day before yesterday, a critical security vulnerability has been discovered in TYPO3 Core version 4. It is possible to authenticate as frontend user if a username of the system is known. A password is not needed for this.
For TYPO3 CMS version 4.5.40 LTS was released today, which fixes the bug.
Affected TYPO3 versions:
- TYPO3 4.3.0 to 4.3.14
- TYPO3 4.4.0 till 4.4.15
- TYPO3 4.5.0 till 4.5.39
- TYPO3 4.6.0 to 4.6.18
Prerequisites that the above versions are vulnerable is if all of the following conditions are true:
- The website uses the frontend login (login for users)
- The system extension rsaauth is loaded
- The system extension rsaauth has been configured as follows
$GLOBALS['TYPO3_CONF_VARS']['FE']['loginSecurityLevel'] = 'rsa'.
Accordingly, installations are NOT vulnerable if at least one of the following conditions is true:
- TYPO3 version 4.7 and higher
- Website does not use frontend login (backend users are not affected)
- The system extension rsaauth is not loaded
- The system extension rsaauth has not been configured as follows $GLOBALS['TYPO3_CONF_VARS']['FE']['loginSecurityLevel'] = 'rsa'
Furthermore, a shell script has been provided that patches all TYPO3 versions in a given directory. Alternatively, the diff file can be used to apply the patch itself.
The TYPO3 security team strongly advises that this critical vulnerability should be patched by applying updates or patches.