Typo3 | Unrestricted File Upload in File Abstraction Layer
Information
| Software Type | Web App |
|---|---|
| Software Name | Typo3 |
| Affected Version | >= 9.0.0, <= 9.5.50 >= 10.0.0, <= 10.4.49 >= 11.0.0, <= 11.5.43 >= 12.0.0, <= 12.4.30 >= 13.0.0, <= 13.4.11 |
| Software Vendor | Typo3 Association |
| Software Link | https://github.com/TYPO3/typo3 |
| Severity | Medium |
| CVSS Score | 5.4 |
| CVE Link | https://github.com/advisories/GHSA-9hq9-cr36-4wpj |
| Affected Assets | 198333+ |
| Date of Discovery | Feb 19th 2025 |
| PoC Exploit | N/A |
Description
TYPO3 allows site editors with filelist permissions to upload .exe files despite restrictions. These files can then be served directly to users, making the application a potential malware distribution platform. Additionally, .html files can be uploaded and used to force-download these executables through a <meta> directive. This results in using Typo3 as a malware distribution system for drive-by malware attacks.
Reproduce
Login as an editor with filelist permissions. Navigate to file management in TYPO3:
https://t3example.ddev.site/typo3/module/file/list?id=1
You can also upload a .exe file by clicking “Upload Files”.
Create a file.html file with the following payload:
<meta http-equiv="refresh" content="1;url=https://t3example.ddev.site/fileadmin/shell.exe">Visit file.html and the executable will be downloaded automatically:
https://t3example.ddev.site/fileadmin/file.html
While JavaScript is blocked by CSP, we can still force a download with HTML. Apparently Typo3 have overlooked this issue, the directive allows us to perform a silent download.
Mitigation
A new configuration option, $GLOBALS['TYPO3_CONF_VARS']['SYS']['miscfile_ext'], has been added. This option allows administrators to explicitly define which file extensions should be permitted that are not already part of the built-in text or media file groups - examples include archive formats such as zip or xz.
In addition, two new feature flags have been introduced to enhance security:
security.system.enforceAllowedFileExtensions, enforces the defined list of allowed file extensions. This flag is enabled by default in new TYPO3 installations, but remains disabled in existing installations to prevent breaking changes.security.system.enforceFileExtensionMimeTypeConsistency, ensures that the uploaded file’s extension matches its actual MIME type, providing further validation of file integrity. This flag is active by default.
It is recommended to configure the allowed file extensions via $GLOBALS['TYPO3_CONF_VARS']['SYS']['miscfile_ext'] and to enable the feature flag security.system.enforceAllowedFileExtensions to enforce the restriction.
Bounty
The Typo3 team awarded me with a bounty of 150 EUR for this finding.
Proof of Concept (PoC) Video
Posted on: May 22, 2025 10:39 PM