TYPO3 Security Bulletin TYPO3-20061220-1: Remote Command Execution in TYPO3

By: Peter Niederlag

Component Type: System Extension (TYPO3 Versions 4.0-4.0.3, 4.1beta)

Third Party Extension (TYPO3 Versions up to 3.8.1). Since
TYPO3 Version 4.0 the extension is part of the TYPO3 default
installation

Affected Versions: TYPO3 default installation version 4.0 through 4.0.3, 4.1beta
Extension rtehtmlarea versions 0.7.5 through 1.4.2

Vulnerability Type: Remote Command Execution

Severity: CRITICAL

Problem Description:
A critical problem has been discovered in plugin class.tx_rtehtmlarea_pi1.php that is used for spell-checking in the rtehtmlarea extension.

An attacker could use the flaw to execute arbitrary system commands, compromising the TYPO3 installation including the database and other files on the server.

The system is vulnerable if PHP safe_mode is disabled. If safe_mode is enabled, the bug can not be exploited.

Please be aware that TYPO3 versions 4.0 and higher include rtehtmlarea as a system extension by default, and that a system may be affected even if the extension is not set to "Installed" in the Extension Manager.

Since TYPO3 versions 4.0 and higher include rtehtmlarea as a system extension by default, all installations of version 4.0 through 4.0.3 and 4.1 beta are vulnerable if PHP safe_mode is disabled.

Updated versions of TYPO3 (4.0.4, 4.1beta2) as well as rtehtmlarea are available on in the download section of typo3.org and the extension repository.

All users of TYPO3 versions 4.0 through 4.0.3 and/or rtehtmlarea versions 0.7.5 through 1.4.2 are advised to update their installations immediately.

Solution:

A) Update your TYPO3 core system to the latest version

B) Update the all instances (system/global/local) of extension rtehtmlarea:

Please use the list below to find the version of rtehtmlarea that matches the version of TYPO3 you are using.

rtehtmlarea version 1.3.8 is for TYPO3 version 4.0.x

rtehtmlarea version 1.4.3 is for TYPO3 version 4.0.x that is using rtehtmlarea 1.4.2 (updated via TER)

rtehtmlarea version 1.2.1 is for TYPO3 version 3.8.x

rtehtmlarea version 1.1.4 is for TYPO3 version 3.7.x

rtehtmlarea version 1.5.1dev is for TYPO3 version 4.1beta

When using the extension manager to update the extension you need to click on the name of the extension (rather than the udpate icon left to it) to access older versions than the latest.

NOTE: If you have installed rtehtmlarea in multiple locations (as SYSTEM, GLOBAL and/or LOCAL extension), ALL of them need to be updated.
Quick Fix (apply only as a last resort when TYPO3 and/or the extension can't be updated immidiately):

Delete the file 'class.tx_rtehtmlarea_pi1.php'.

The file 'class.tx_rtehtmlarea_pi1.php' can be found in one or more of the following locations:
PATH_TO_YOUR_SITE/typo3/sysext/rtehtmlarea/pi1
PATH_TO_YOUR_SITE/typo3/ext/rtehtmlarea/pi1
PATH_TO_YOUR_SITE/typo3conf/ext/rtehtmlarea/pi1

General advice:
Follow the recommendations that are given in the TYPO3 Security Cookbook.

Credits:
Thanks to Daniel Fabian from SEC Consult (http://www.sec-consult.com) who discovered the vulnerability and notified the TYPO3 security team.
Thanks to Peter Niederlag, Michael Stucki, Rupert Germann and the other members of the security team who immediately started working on the problem and the fix after the security team was notified.