The developers of the Typo3 CMS framework have raised the alarm in an email to typo3-announce@lists.typo3.org, and security firm Secunia rates the problem "highly critical". In versions 4.3.0, 4.3.1 and 4.3.2 of Typo3 (as well as previous versions of the 4.4 development branch), attackers can inject PHP code from an external server and execute it within the Typo3 context.

Advisory SA-2010-008 contains details about how to fix the problem. Upgrading to version 4.3.3 is one way of improving the situation. The vulnerability is also impossible to exploit if at least one of three PHP switches is set to "off":

  • register_globals
  • allow_url_include
  • allow_url_fopen

The chances are that one of them is already switched off by default, and switching off all three is a good idea. However, this may cause compatibility problems and, as a web hosting customer, you may also only have very limited access to your PHP settings.

The link for this article located at H Security is no longer available.