Skip to main content

Mobile Apps

Maßgeschneidert für Prozesse und Funktionen bieten Apps in der heutigen Zeit eine große Rolle bei der Optimierung. Wir bieten Ihnen einen umfassenden Service bei der Konzeption und Realisierung Anwendungen (Nativ oder als Web App mit Phonegap).

Targeting

We help you find the people you need for business. Online marketing concepts and plans are integrated thru workflows and processes.

360° showrooms

Enhance your business on google maps - and enable people to walk thru your showrooms and more.

Make it your own

This distribution is developed to help you getting an easy entry into TYPO3 CMS. It can be used as an example to play around or to kickstart your own projects.

 

Included features of the Introduction Package

  • TYPO3 CMS custom theme for Twitter Bootstrap
  • Customize the theme via LESS editor backend module
  • All Content Elements mapped to fit Twitter Bootstrap
  • Example additional content elements for carousel and accordion
  • All settings editable via the TypoScript constant editor
  • Responsive images enabled

News System

TYPO3-PSA-2021-003: Mitigation of Cache Poisoning Caused by Untrusted URL Query Parameters

 

 

 

Problem Description

TYPO3 core internally uses the TypoScript function typolink to generate links to pages. The typolink property addQueryString can be used to append all query parameters—present in a corresponding HTTP request—to generated links. This typolink behavior does not have any functionality to determine whether a given query parameter should be considered as trusted or not. Therefore, it is possible to inject various query parameters to a link generated by the mentioned typolink behavior, when the addQueryString property is active.

In case the result of a request to the TYPO3 frontend has not been cached yet, the given set of HTTP query parameters will be used and stored. All subsequent requests will be served from cache.

This allows content injection (in terms of text, but NOT in terms of HTML or XSS) and might have an impact on SEO aspects (e.g. injecting the brand name of competitors).


Example request:

https://example.org/cms?injected=value

Calling the example link above the first time (without serving the request from cache), results in URLs containing the injected parameter &injected=value in combination with a valid &cHash signature (given that the URLs have been generated using typolink with addQueryString behavior enabled).

Example URL in response:

https://example.org/other-topic?injected=value&cHash=abcdef1234567890abcdef1234567890


TYPO3 core contains two components (CanonicalGenerator in ext:seo and LanguageMenuProcessor in ext:frontend) that use addQueryString by default. If either one of the affected components are used on a TYPO3 website or if addQueryString is used in TypoScript or Fluid, the website can be considered vulnerable to cache poisoning.

Solution

To solve this, the typolink function must be limited to accept trusted URL query parameters when addQueryString is used. TYPO3 is able to use routing configuration—introduced in TYPO3 v9—to determine trusted URL parameters. However, applying this change directly to the TYPO3 core would be a breaking change, which probably causes unwanted side effects on websites relying on the existing behavior. The TYPO3 Core Team has therefore decided to include the change as a breaking change in TYPO3 v12 only. Alternative solutions for current TYPO3 LTS and ELTS versions will be provided through third-party extensions.

Suggested Extension ext:trusted_url_params

Alternative Extensions for Older TYPO3 Versions

In contrast to ext:trusted_url_params, the following approaches do not rely on routing configuration and can be used in older TYPO3 versions.

For TYPO3 websites using one of the mentioned core components (CanonicalGenerator in ext:seo and LanguageMenuProcessor in ext:frontend), or addQueryString via TypoScript, we recommend using one of the mentioned extensions to mitigate the problem. Please follow corresponding documentation of those extensions, to mitigate the caching issue correctly.

In regards to caching configuration and URL query parameter we generally suggest to set:

// Disabling the usage of `&no_cache=1`
// (like in `https://example.org/?parameter=value&no_cache=1`).
$GLOBALS['TYPO3_CONF_VARS']['FE']['disableNoCacheParameter'] = true;
// Enforcing HTTP 404 error response in case of invalud `&cHash=` value
// (like in `https://example.org/?parameter=value&cHash=wrong`).
$GLOBALS['TYPO3_CONF_VARS']['FE']['pageNotFoundOnCHashError'] = true;

Credits

Credits go to Robert Vock, Oliver Thiele, Benjamin Robinson and Christoph Werner who reported the issue.

General Advice

Follow the recommendations given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.