Zum Hauptinhalt springen

Mobile Apps

 Maßgeschneidert für Prozesse und Funktionen bieten Apps in der heutigen Zeit eine große Rolle bei der Optimierung. Wir bieten Ihnen einen umfassenden Service bei der Konzeption und Realisierung Anwendungen (Nativ oder als Web App mit Phonegap).

Targeting

Finden Sie Zielgruppen genau Ihre Kunden im Internet? Re-Markteting von Suchergebnissen und Nutzern... Wir unterstützen Sie in Ihrem Marketing Plan!

360° Showrooms

Verbessern Sie Ihre Internet Präsenz auf Google mit einer erstklassigen virtuellen 360°-Tour in Street View! Einfach, schnell und günstig. Die VR Showrooms sind Zukunft der Visualisierung.

Ihre Webseite? schnell und einfach mit tp3

Neue vorkonfigurierte Oberflächen und Inhaltselemente lassen Sie Ihre Webseite auf dem neusten Stand der Technik präsentieren. 

enthaltene Besonderheiten in tp3

  • TYPO3 CMS 10 LTS
  • basierend auf Bootstrap_Packages 
  • Anpassungen Backend Module und Workflows
  • Media Inhalte extrahieren, verwalten und publizieren 
    (Digital Asset Management)
  • Bildbearbeitungsmöglichkeiten (Scale, Crop, Color etc.) für Redateuere
  • Beispiele von Inhaltselementen  wie Boxen, Carousel and Accordion
  • Verknüpfungen zu google+, facebook, twitter,...
  • Mobile App über Phonegap
  • Yoast SEO Tools
  • Pagespeed optimiert
  • NEU! steuerbare Animationseffekte

 

News System

TYPO3-PSA-2021-003: Mitigation of Cache Poisoning Caused by Untrusted URL Query Parameters

 

 

 

Problem Description

TYPO3 core internally uses the TypoScript function typolink to generate links to pages. The typolink property addQueryString can be used to append all query parameters—present in a corresponding HTTP request—to generated links. This typolink behavior does not have any functionality to determine whether a given query parameter should be considered as trusted or not. Therefore, it is possible to inject various query parameters to a link generated by the mentioned typolink behavior, when the addQueryString property is active.

In case the result of a request to the TYPO3 frontend has not been cached yet, the given set of HTTP query parameters will be used and stored. All subsequent requests will be served from cache.

This allows content injection (in terms of text, but NOT in terms of HTML or XSS) and might have an impact on SEO aspects (e.g. injecting the brand name of competitors).


Example request:

https://example.org/cms?injected=value

Calling the example link above the first time (without serving the request from cache), results in URLs containing the injected parameter &injected=value in combination with a valid &cHash signature (given that the URLs have been generated using typolink with addQueryString behavior enabled).

Example URL in response:

https://example.org/other-topic?injected=value&cHash=abcdef1234567890abcdef1234567890


TYPO3 core contains two components (CanonicalGenerator in ext:seo and LanguageMenuProcessor in ext:frontend) that use addQueryString by default. If either one of the affected components are used on a TYPO3 website or if addQueryString is used in TypoScript or Fluid, the website can be considered vulnerable to cache poisoning.

Solution

To solve this, the typolink function must be limited to accept trusted URL query parameters when addQueryString is used. TYPO3 is able to use routing configuration—introduced in TYPO3 v9—to determine trusted URL parameters. However, applying this change directly to the TYPO3 core would be a breaking change, which probably causes unwanted side effects on websites relying on the existing behavior. The TYPO3 Core Team has therefore decided to include the change as a breaking change in TYPO3 v12 only. Alternative solutions for current TYPO3 LTS and ELTS versions will be provided through third-party extensions.

Suggested Extension ext:trusted_url_params

Alternative Extensions for Older TYPO3 Versions

In contrast to ext:trusted_url_params, the following approaches do not rely on routing configuration and can be used in older TYPO3 versions.

For TYPO3 websites using one of the mentioned core components (CanonicalGenerator in ext:seo and LanguageMenuProcessor in ext:frontend), or addQueryString via TypoScript, we recommend using one of the mentioned extensions to mitigate the problem. Please follow corresponding documentation of those extensions, to mitigate the caching issue correctly.

In regards to caching configuration and URL query parameter we generally suggest to set:

// Disabling the usage of `&no_cache=1`
// (like in `https://example.org/?parameter=value&no_cache=1`).
$GLOBALS['TYPO3_CONF_VARS']['FE']['disableNoCacheParameter'] = true;
// Enforcing HTTP 404 error response in case of invalud `&cHash=` value
// (like in `https://example.org/?parameter=value&cHash=wrong`).
$GLOBALS['TYPO3_CONF_VARS']['FE']['pageNotFoundOnCHashError'] = true;

Credits

Credits go to Robert Vock, Oliver Thiele, Benjamin Robinson and Christoph Werner who reported the issue.

General Advice

Follow the recommendations given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.