TYPO3-PSA-2021-001: Sensitive links in search results of TYPO3 extension indexed_search

 

 

 

  • Component Type: TYPO3 CMS
  • Subcomponent: Indexed Search (ext:indexed_search)
  • Release Date: July 20, 2021
  • Impact: Information Disclosure
  • Type: Advisory

Problem Description

On TYPO3 websites where the “Indexed Search” extension is used, sensitive links may get indexed. The problem occurs when a TYPO3 page contains a plugin that handles possible sensitive actions via HTTP GET parameters  (e.g. confirmation action for a newsletter subscription, or similar token-based actions used for verification). This may lead to unwanted behavior, since “Indexed Search” may add the URL to the search index and website users would be able to find the link in the search result.

The impact of the problem depends on the functionality of the affected actions. For non-repeatable calls (e.g. where the URL is only valid once), there may be no impact if no sensitive user data is shown by the affected plugin. For repeatable actions (e.g. link to editing form of users’ newsletter subscription), the problem may lead to information disclosure or data modification.

The problem will only occur when the URL is fully cacheable (contains a valid cHash for all parameters).

Solution

Indexed search currently has no mechanism allowing extensions to intercept the indexing process - page contents are indexed before uncached extension plugins are processed.

The recommended way to avoid sensitive links getting indexed is to exclude the whole page from the page index.