Allele Security Alert
ASA-2018-00084
Identifier(s)
ASA-2018-00084, TYPO3-CORE-SA-2018-011
Title
Denial of Service in Online Media Asset Handling
Vendor(s)
TYPO3 Association
Product(s)
TYPO3
Affected version(s)
TYPO3 7.0.0-7.6.31, 8.0.0-8.7.20 and 9.0.0-9.5.1
Fixed version(s)
TYPO3 versions 7.6.32, 8.7.21 or 9.5.2
Proof of concept
Unknown
Description
Online Media Asset Handling (*.youtube and *.vimeo files) in the TYPO3 backend is vulnerable to denial of service. Putting large files with according file extensions results in high consumption of system resources. This can lead to exceeding limits of the current PHP process which results in a dysfunctional backend component. A valid backend user account or write access on the server system (e.g. SFTP) is needed in order to exploit this vulnerability.
Technical details
Unknown
Credits
Michael Schams and Oliver Hader (TYPO3 core team)
Reference(s)
TYPO3 9.5.2, 8.7.21 and 7.6.32 security releases published
https://typo3.org/article/typo3-952-8721-and-7632-security-releases-published/
TYPO3-CORE-SA-2018-011: Denial of Service in Online Media Asset Handling
https://typo3.org/security/advisory/typo3-core-sa-2018-011/
[SECURITY] Avoid DoS in Online Media Helper
https://github.com/TYPO3/TYPO3.CMS/commit/16567366e2a25c0cbed7208c3be9eda962e28c9b
[TYPO3-announce] Announcing TYPO3 v9.5.2, v8.7.21 and v7.6.32 security releases
http://lists.typo3.org/pipermail/typo3-announce/2018/000435.html
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 1, 2019