Executive Summary

[{'type': 'paragraph', 'content': 'The TYPO3 extension "Mailqueue" is vulnerable to insecure deserialization. This means it does not properly restrict which classes can be used when deserializing transport failure metadata. Because of this, an attacker who can write to a specific directory configured in the system can exploit this flaw to execute untrusted serialized code.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

If exploited, this vulnerability allows an attacker to execute arbitrary code on the system where the TYPO3 Mailqueue extension is installed. This can lead to unauthorized actions, potential system compromise, and data breaches. However, exploitation requires the attacker to have write access to a specific directory configured in the TYPO3 system.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability affects specific versions of the TYPO3 extension "Mailqueue" (cpsit/typo3-mailqueue), specifically versions 0.5.0 to 0.5.1, 0.4.4, and earlier. Detection involves identifying if these vulnerable versions are installed.'}, {'type': 'paragraph', 'content': "You can check the installed version of the mailqueue extension using TYPO3's extension manager or by inspecting the Composer package version."}, {'type': 'paragraph', 'content': 'For example, to check the installed Composer package version, you can run the following command in your TYPO3 project directory:'}, {'type': 'list_item', 'content': 'composer show cpsit/typo3-mailqueue'}, {'type': 'paragraph', 'content': "Additionally, verify the configuration variable $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_filepath'] to identify the directory where serialized transport failure metadata is stored. Check if this directory is writable by untrusted users, which is a prerequisite for exploitation."}, {'type': 'paragraph', 'content': 'To check directory permissions on a Unix-like system, you can use:'}, {'type': 'list_item', 'content': 'ls -ld /path/to/transport_spool_filepath'}, {'type': 'paragraph', 'content': 'Replace /path/to/transport_spool_filepath with the actual path from your TYPO3 configuration.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation step is to update the TYPO3 mailqueue extension to a fixed version.'}, {'type': 'list_item', 'content': 'Upgrade to version 0.5.2 or later, or 0.4.5 or later, as these versions contain the fix for this vulnerability.'}, {'type': 'paragraph', 'content': 'You can update the extension via the TYPO3 extension manager, Packagist, or the TYPO3 extensions repository.'}, {'type': 'paragraph', 'content': "Additionally, ensure that the directory configured at $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_filepath'] is not writable by untrusted users, as write access is required for exploitation."}, {'type': 'paragraph', 'content': 'Follow general TYPO3 security best practices, including subscribing to the typo3-announce mailing list and consulting the TYPO3 Security Guide.'}] [1]

Useful 0 Not Useful 0