Executive Summary

The vulnerability exists in the TYPO3 extension "Content Element Selector" (ceselector) where an attacker-controlled cookie is passed directly to PHP's unserialize() function without proper validation or sanitization.

This allows a remote, unauthenticated attacker to send a specially crafted serialized payload that triggers PHP Object Injection, which can lead to Remote Code Execution on the TYPO3 server.

Exploitation requires the content element to be configured with "Persistent Mode: Static" in the plugin settings.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts as it allows an unauthenticated remote attacker to execute arbitrary code on the TYPO3 server.

Successful exploitation could lead to full compromise of the server, including unauthorized access to data, modification or deletion of content, and potential use of the server for further attacks.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, you should update the 'Content Element Selector' extension for TYPO3 to the fixed versions: 6.0.1, 5.0.1, 4.0.2, or 3.0.3.

Additionally, ensure that the content element is not configured with 'Persistent Mode: Static' in the plugin settings, as exploitation requires this configuration.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows remote code execution on the TYPO3 server through insecure deserialization, which can lead to unauthorized access and control over the system.

Such unauthorized access and potential data breaches can compromise the confidentiality, integrity, and availability of sensitive data, thereby negatively impacting compliance with common standards and regulations like GDPR and HIPAA.

Organizations using the affected TYPO3 extension should update to patched versions immediately to mitigate the risk and maintain compliance with these regulations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for HTTP requests that include suspicious or crafted serialized payloads within cookies targeting the TYPO3 Content Element Selector extension. Since the exploit involves sending a specially crafted serialized PHP object via a cookie, inspecting incoming cookies for unusual serialized data patterns may help identify attempts to exploit this issue.

A practical approach is to capture and analyze HTTP traffic to the TYPO3 server, focusing on cookies sent in requests to the vulnerable extension. Tools like tcpdump, Wireshark, or web server logs can be used for this purpose.

• Use tcpdump to capture HTTP traffic on port 80 or 443: tcpdump -i eth0 -A 'tcp port 80 or tcp port 443'
• Filter web server logs for requests containing cookies with suspicious serialized PHP data (e.g., strings starting with 'O:', 'a:', or 's:').
• Use grep or similar tools to search logs for serialized payload patterns: grep -i 'O:[0-9]:' /var/log/apache2/access.log

Additionally, checking the TYPO3 plugin settings to verify if the content element is configured with "Persistent Mode: Static" can help assess exposure to this vulnerability.

Useful 0 Not Useful 0