As you must be aware already, there is a critical security issue in the TYPO3 core. This is not a semi–possible XSS that requires blah-blah-blah, etc. This is a real threat. No such issues were discovered in TYPO3 before.

The issue allows an attacker to read files on your web server. If your web server is configured properly, the attacker will be able to read files from your web site root and below. It means that he can read typo3conf/localconf.php and get your database and Install tool password. You should understand what happens next (I am not giving hints to hackers!).

If your web server is not configured properly, the attacker may be able to read files outside of the web root. Think what files he can read.

As you see it is extremely important to upgrade or patch your servers right now!

Fixing your TYPO3 cores

How to do it? The security bulletin gives you several ways:

  • get fully new version of the TYPO3 core. I expect this may be difficult because everyone will be downloading these versions
  • get patches for each TYPO3 version and apply them. This is easy if you follow instructions in the bulletin
  • run the shell script. This script searches your hard drive for vulnerable files and fixes them. This script searches the whole drive starting from the root directory. You may want to change line 24 to use a dot instead of a slash and run this script from the directory where your TYPO3 cores are located

If I were you I would choose the last way. It is especially good if you have multiple different versions of the TYPO3 core.

Is TYPO3 secure (in general)?

Since the issue is critical, you can be asking yourself a question: "Is TYPO3 secure?". The answer is "Yes!". I plan to write an article about it soon. In advance I will tell that you still can trust TYPO3. Check back for the new articles which describes why.