14 DAY TRIAL // Advertised as “the most widely used Enterprise Content Management System,” TYPO3 has recently received an update that plugs security vulnerabilities ranging from cross-site scripting (XSS) to improper login protection.
TYPO3 content management system (CMS) was created with a focus on businesses and public institutions. According to official data, the product has more than 500,000 installations.
XSS and authentication problems repaired
The list of changes in the current revision solves two XSS issues, one related to the third-party library Flowplayer and the other to the Filelist component. The first one was reported by Wouter van Dongen and the other by Markus Bucher, both of them active contributors to the platform.
Another bug fixed, discovered and reported by Helmut Hummel touches on authentication. Older versions of the CMS (6.2.0 through 6.2.13 and 7.0.0 through 7.3.0) are susceptible to session fixation.
“If a user authenticates while anonymous session data is present, the session id is not changed. This makes it possible for attackers to generate a valid session id, trick users into using this session id (e.g. by leveraging a different Cross-Site Scripting vulnerability) and then maybe getting access to an authenticated session,” the security advisory for the bug says.
Login protection against brute force attacks extended to frontend
Brute-force protection mechanisms for the frontend login have been introduced in the current TYPO3 CMS, which now enforces a five-second delay between wrong credential entries. Apart from this, the release offers the possibility of implementing other brute-force protection methods.
On the back-end, the five-second delay did not work properly and could be bypassed by forging a special request. This behavior is no longer present.
Branch 7.x is not the only one affected by these issues, and users working with version 6.x are also impacted. The fixes have been integrated in both branches, in build 6.2.14 and 7.3.1.