===================================================================== CERT-Renater Note d'Information No. 2011/VULN119 _____________________________________________________________________ DATE : 16/02/2011 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running TYPO3 versions prior to 4.5. ====================================================================== http://buzz.typo3.org/teams/security/article/typo3-45-will-be-the-most-secure-typo3-version-ever/ ______________________________________________________________________ TYPO3 4.5 will be the most secure TYPO3 version ever. By: Helmut Hummel The upcoming version 4.5 will include a form protection for improved security. The TYPO3 Security Team strives to constantly improve every TYPO3 version not only by fixing security issues that were brought to our attention but also by introducing new security features. The possibility of storing salted passwords and RSA encrypted authentication introduced in TYPO3 version 4.3 are examples for such improvements. With the upcoming version 4.5 we will introduce a generic form protection API which will used throughout the editors view (backend) in the first place, but can also be extended to be used for website (frontend) plugins. We'd like to explain what this protection is good for and why we (the Core Team and the Security Team) decided not to backport this feature to the current or older TYPO3 versions. The Risk The backend of current TYPO3 versions is susceptible to Cross Site Request Forgery (CSRF or XSRF) attacks. For such an attack to be successful several requirements must be fulfilled: 1. An editor must be logged in 2. The editor must click a malicious link received in an email or by visiting a malicious website 3. The attacker must know the exact URL of the form that should be submitted on behalf of the logged in editor If these preconditions are fulfilled every (TYPO3 editing) action the editor has the right to execute can be preformed without any further confirmation by the editor. The Fix As of the TYPO3 version 4.5 (almost) every action an authenticated editor can perform will be secured by a token (unguessable random string value) submitted in every request. This makes it impossible for an attacker to know (or guess) the exact request parameters and/ or URL for an action to be taken. Mitigation Like for any other (business) critical task you are doing over the wire we recommend the following for your TYPO3 editing or administrative tasks: 1. Always log out after finishing TYPO3 tasks. 2. Do not visit any other internet sites while being logged in 3. Do not read emails / do not click on any link in an email while being logged in 4. Do not use the systems standard browser to do TYPO3 tasks 5. In General: Use an up to date (fully patched) TYPO3 version and no extension with a (known) vulnerability If you respect this advice you will be safe in regard of this very attack with every TYPO3 version. The Decision We decided not to introduce a programmatic fix in the current TYPO3 version 4.4 or any other version below because with that we would have risked to break core functionality and we would have to break the functionality of (some) extensions within minor versions of TYPO3. Additionally CSRF attacks need quite some effort and knowledge of the attacked target and by following the above mentioned easy rules, the probability of a successful attack tends to zero. This is why we went for functionality and stability while still considering all TYPO3 versions below 4.5 to be secure (enough). We're confident that you will understand and support this decision. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================