Important: TYPO3 Security Hole, and How To Close It

Posted on Wednesday, December 20, 2006

If you use the excellent open-source content management system
TYPO3,
there is "http://news.typo3.org/news/article/typo3-security-bulletin-typo3-20061220-1-remote-command-execution-in-typo3/">
a very important security bulletin out this morning that you
should read immediately.

A flaw has been discovered in the rich-text editing component
that, if exploited, could allow an attacker to execute code on
your server. The flaw can be fixed by updating your version of
the rich-text editor to the latest version (1.4.3 "#typo3_foot1">1), which has
been patched to remove the vulnerability.

The bulletin is not written very clearly, so here are the
steps you should follow to update your TYPO3 installation:

  1. Download the .t3x package of the new editor
    "http://typo3.org/extensions/repository/view/rtehtmlarea/1.4.3/">from
    the Extension Repository     onto your PC.
  2. The rich-text editor is a “system extension”, which you
    normally cannot update without updating the whole TYPO3 core.
    This means we will have to do a little work. Log into your TYPO3
    backend and go into the Install tool "#typo3_foot2">2, then go to “All configuration”. Scroll down until you find
    the configuration value [allowSystemInstall] in
    the [EXT] category. By default, this is set to zero, which
    prevents you from installing extensions into the core.
    Change this value to “1″ (without the quotes)3:
    Item to change in the Install Tool
    Then scroll to the bottom of the page and click “Write to
    localconf.php”. Now you can install system
    extensions.4
  3. The next step is to actually install the updated extension.
    In your TYPO3 backend, click on “Ext Manager”
    under “Tools” to get to the Extension Manager. Once you’re there,
    pull down the drop-down menu labeled “Menu:” and
    select “Import Extensions” from the list of options:
    Drop down menu "/images/typo3_extension_manager.png" />
    When the screen updates, look for the form element labeled
    “Upload extension file (.t3x):” and click the “Browse” button
    next to it:
    Upload T3X extension package src="/images/typo3_upload_extension.png" />
    This will bring up a file chooser. Use the file
    chooser     to find the .t3x file you downloaded in step 1
    and click the “Open” button to select it.
  4. Now we have to be sure to install the extension in the right
    place. Notice that beneath the element where we just picked the
    .t3x file, there is a drop-down menu labeled “… to
    location:”:
    Menu to choose install location "margin: 5px 0px" src=
    "/images/typo3_install_extension.png" />
    Pull that menu down and select “System
    (typo3/sysext/)”    . This will install the editor into the
    system core. Do not use any of the other options or you will
    have multiple versions of the editor floating around in your
    system.
  5. Check the checkbox labeled “Overwrite any existing
    extension!”     — this will erase the old, vulnerable
    editor and replace it with the new, fixed one.
  6. Click the “upload extension file” button to
    install the extension.

Once you’ve done this, your system will be secure from this
exploit. This is a potentially very dangerous security hole, so
don’t put off closing it until after the holidays — now that
it’s been publicly announced by the developers, we can probably
expect Bad Guys to start trying to hit TYPO3 sites with it any
time now.

  1. All my instructions are for users of TYPO3 4.x. If you are still using 3.x, there are different editor packages you should get. The bulletin has information on which packages go with which versions.
  2. If you’ve never
    used the Install Tool before, it’s possible that you’ll get an
    error when you try it now. This is because this tool is turned
    off by default, for security. To turn it on, go into your TYPO3
    source directory, find the file named typo3/install/index.php,
    and comment out the die() statement in there. "http://wiki.typo3.org/index.php/Typo3_Installation_Basics#Install_Tool">
    More information on using the Install Tool.
  3. If you’re comfortable editing localconf.php yourself, you can add this configuration paramater manually rather than using the Install Tool.
  4. After you
    install this one, though, don’t put any more in there — any
    extensions you install there will be thrown out the next time you
    upgrade your TYPO3 core. In this case, that’s not a problem
    since the next point release of the core will include the updated
    editor.

Sound Off, Loudmouth!

No comments yet. Why not leave one yourself?

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Recently on Just Well Mixed

Going Meta

Syndicate Me, Baby

Feed iconWeb feed

Share and Enjoy

Except where otherwise noted, all content on this site is provided under the terms of the Creative Commons Attribution-ShareAlike license.

As If You Didn't Know

Powered by WordPress, because why the hell not.

Obligatory Disclaimer

If you think anything I write here represents the opinions of anybody but myself, you need more help than I can give you. The opinions are all mine, folks. Nobody else's.

If that's too hard to understand... well, I'm sorry. There's only so much I can do. I'm not a therapist, and I'm not a miracle worker. I wish I could help you work through your delusional belief that I'm speaking for anyone else but myself. Honestly, I do. But in the end, that's a monkey you'll have to get off your back on your own. Sorry.