Important: TYPO3 Security Hole, and How To Close It

Category: Toys, Tools, Tech

Wednesday, December 20, 2006

If you use the excellent open-source content management system TYPO3, there is a very important security bulletin out this morning that you should read immediately.

A flaw has been discovered in the rich-text editing component that, if exploited, could allow an attacker to execute code on your server. The flaw can be fixed by updating your version of the rich-text editor to the latest version (1.4.3¹), which has been patched to remove the vulnerability.

The bulletin is not written very clearly, so here are the steps you should follow to update your TYPO3 installation:

1. Download the .t3x package of the new editor from the Extension Repository onto your PC.
2. The rich-text editor is a "system extension", which you normally cannot update without updating the whole TYPO3 core. This means we will have to do a little work. Log into your TYPO3 backend and go into the Install tool², then go to "All configuration". Scroll down until you find the configuration value [allowSystemInstall] in the [EXT] category. By default, this is set to zero, which prevents you from installing extensions into the core. Change this value to "1" (without the quotes)³:
   
   Then scroll to the bottom of the page and click "Write to localconf.php". Now you can install system extensions.⁴
3. The next step is to actually install the updated extension. In your TYPO3 backend, click on "Ext Manager" under "Tools" to get to the Extension Manager. Once you're there, pull down the drop-down menu labeled "Menu:" and select "Import Extensions" from the list of options:
   
   When the screen updates, look for the form element labeled "Upload extension file (.t3x):" and click the "Browse" button next to it:
   
   This will bring up a file chooser. Use the file chooser to find the .t3x file you downloaded in step 1 and click the "Open" button to select it.
4. Now we have to be sure to install the extension in the right place. Notice that beneath the element where we just picked the .t3x file, there is a drop-down menu labeled "... to location:":
   
   Pull that menu down and select "System (typo3/sysext/)". This will install the editor into the system core. Do not use any of the other options or you will have multiple versions of the editor floating around in your system.
5. Check the checkbox labeled "Overwrite any existing extension!" -- this will erase the old, vulnerable editor and replace it with the new, fixed one.
6. Click the "upload extension file" button to install the extension.

Once you've done this, your system will be secure from this exploit. This is a potentially very dangerous security hole, so don't put off closing it until after the holidays -- now that it's been publicly announced by the developers, we can probably expect Bad Guys to start trying to hit TYPO3 sites with it any time now.

1. All my instructions are for users of TYPO3 4.x. If you are still using 3.x, there are different editor packages you should get. The bulletin has information on which packages go with which versions.
2. If you've never used the Install Tool before, it's possible that you'll get an error when you try it now. This is because this tool is turned off by default, for security. To turn it on, go into your TYPO3 source directory, find the file named typo3/install/index.php, and comment out the die() statement in there. More information on using the Install Tool.
3. If you're comfortable editing localconf.php yourself, you can add this configuration paramater manually rather than using the Install Tool.
4. After you install this one, though, don't put any more in there -- any extensions you install there will be thrown out the next time you upgrade your TYPO3 core. In this case, that's not a problem since the next point release of the core will include the updated editor.