[TYPO3-announce] TYPO3 Security Bulletin TYPO3-20061220-1: Remote Command Execution in TYPO3

[Ingmar Schlecht]

Dear users of TYPO3,

a critical problem has been discovered in the rtehtmlarea extension.

An attacker can use the flaw to execute arbitrary system commands,
compromising the TYPO3 installation including the database and other
files on the server.

The system is vulnerable if PHP safe_mode is disabled. If safe_mode is
enabled, the bug can not be exploited.
Please be aware that TYPO3 versions 4.0 and higher include rtehtmlarea
as a system extension by default, and that a system may be affected even
if the extension is not set to "Installed" in the Extension Manager.
Since TYPO3 versions 4.0 and higher include rtehtmlarea as a system
extension by default, all installations of version 4.0 through 4.0.3 and
4.1 beta are vulnerable if PHP safe_mode is disabled.

Updated versions of TYPO3 (4.0.4, 4.1beta2) are available at
http://typo3.org/download/packages/, updated versions of the rtehtmlarea
extension are available in the extension repository.

All users of TYPO3 versions 4.0 through 4.0.3 and/or rtehtmlarea
versions 0.7.5 through 1.4.2 are advised to update their installations
immediately.

==== Component Type ====
System Extension (TYPO3 Versions 4.0-4.0.3, 4.1beta)
Third Party Extension (TYPO3 Versions up to 3.8.1). Since
TYPO3 Version 4.0 the extension is part of the TYPO3 default
installation

==== Affected Versions ====
TYPO3 default installation version 4.0 through 4.0.3, 4.1beta
Extension rtehtmlarea versions 0.7.5 through 1.4.2

==== Vulnerability Type ====
Remote Command Execution

==== Severity ====
CRITICAL

==== Solution ====
A) Update your TYPO3 core system to the latest version
B) Update the all instances (system/global/local) of extension
   rtehtmlarea:

Please use the list below to find the version of rtehtmlarea that
matches the version of TYPO3 you are using:

rtehtmlarea version 1.3.8
	is for TYPO3 version 4.0.x

rtehtmlarea version 1.4.3
	is for TYPO3 version 4.0.x that is using rtehtmlarea 1.4.2
	(updated via TER)

rtehtmlarea version 1.2.0
	is for TYPO3 version 3.8.x

rtehtmlarea version 1.1.4
	is for TYPO3 version 3.7.x

rtehtmlarea version 1.5.1dev
	is for TYPO3 version 4.1beta

When using the extension manager to update the extension you need to
click on the name of the extension (rather than the udpate icon left to
it) to access older versions than the latest.

NOTE: If you have installed rtehtmlarea in multiple locations (as
SYSTEM, GLOBAL and/or LOCAL extension), ALL of them need to be updated.

==== Quick Fix ====
(Apply the Quick Fix only as a last resort when TYPO3 and/or the
extension can't be updated immidiately):

Simply delete the file class.tx_rtehtmlarea_pi1.php from the following
locations:
PATH_TO_YOUR_SITE/typo3/sysext/rtehtmlarea/pi1
PATH_TO_YOUR_SITE/typo3/ext/rtehtmlarea/pi1
PATH_TO_YOUR_SITE/typo3conf/ext/rtehtmlarea/pi1

==== MD5 Sums for Core Packages ====
4.0.4:
8a3c066d3a1dfb9c86ede7838805f1de  dummy-4.0.4.tar.gz
bcf111df3c2abab5ee7ae0a32904d0ca  dummy-4.0.4.zip
377a357df848028c604d53ad9953353c  typo3_src-4.0.4.tar.gz
9e311279e711cffce7acc4e5c407296f  typo3_src-4.0.4.zip
16f239d68aceeae14d64a38d83afb4a7  typo3_src+dummy-4.0.4.zip

4.1 Beta 2:
182b7826bcb91c8cae594b55837f01e0  dummy-4.1beta2.tar.gz
2c8a9c53774515c00515d7e2e5874687  dummy-4.1beta2.zip
fc666d91f71ed29474ee11dcc74a5a5c  typo3_src-4.1beta2.tar.gz
43dc050d86a8e8b6da6658ab70ee0a9d  typo3_src-4.1beta2.zip
e96b872c1177fa549367d5ed99d6a348  typo3_src+dummy-4.1beta2.zip

==== General advice ====
Follow the recommendations that are given in the TYPO3 Security Cookbook.

==== Credits ====
Thanks to Daniel Fabian from SEC Consult (http://www.sec-consult.com)
who discovered the vulnerability and notified the TYPO3 security team.
Thanks to Peter Niederlag, Michael Stucki, Rupert Germann, Jochen
Weiland, Ingmar Schlecht and the other members of the security team who
immediately started working on the problem and the fix after the
security team was notified.

Regards,
TYPO3 Security Team