Problem Description

TYPO3 core internally uses the TypoScript function typolink to generate links to pages. The typolink property addQueryString can be used to append all query parameters—present in a corresponding HTTP request—to generated links. This typolink behavior does not have any functionality to determine whether a given query parameter should be considered as trusted or not. Therefore, it is possible to inject various query parameters to a link generated by the mentioned typolink behavior, when the addQueryString property is active.

In case the result of a request to the TYPO3 frontend has not been cached yet, the given set of HTTP query parameters will be used and stored. All subsequent requests will be served from cache.

This allows content injection (in terms of text, but NOT in terms of HTML or XSS) and might have an impact on SEO aspects (e.g. injecting the brand name of competitors).


Example request:

https://example.org/cms?injected=value

Calling the example link above the first time (without serving the request from cache), results in URLs containing the injected parameter &injected=value in combination with a valid &cHash signature (given that the URLs have been generated using typolink with addQueryString behavior enabled).

Example URL in response:

https://example.org/other-topic?injected=value&cHash=abcdef1234567890abcdef1234567890


TYPO3 core contains two components (CanonicalGenerator in ext:seo and LanguageMenuProcessor in ext:frontend) that use addQueryString by default. If either one of the affected components are used on a TYPO3 website or if addQueryString is used in TypoScript or Fluid, the website can be considered vulnerable to cache poisoning.

Solution

To solve this, the typolink function must be limited to accept trusted URL query parameters when addQueryString is used. TYPO3 is able to use routing configuration—introduced in TYPO3 v9—to determine trusted URL parameters. However, applying this change directly to the TYPO3 core would be a breaking change, which probably causes unwanted side effects on websites relying on the existing behavior. The TYPO3 Core Team has therefore decided to include the change as a breaking change in TYPO3 v12 only. Alternative solutions for current TYPO3 LTS and ELTS versions will be provided through third-party extensions.

Suggested Extension ext:trusted_url_params

Alternative Extensions for Older TYPO3 Versions

In contrast to ext:trusted_url_params, the following approaches do not rely on routing configuration and can be used in older TYPO3 versions.

For TYPO3 websites using one of the mentioned core components (CanonicalGenerator in ext:seo and LanguageMenuProcessor in ext:frontend), or addQueryString via TypoScript, we recommend using one of the mentioned extensions to mitigate the problem. Please follow corresponding documentation of those extensions, to mitigate the caching issue correctly.

In regards to caching configuration and URL query parameter we generally suggest to set:

// Disabling the usage of `&no_cache=1`
// (like in `https://example.org/?parameter=value&no_cache=1`).
$GLOBALS['TYPO3_CONF_VARS']['FE']['disableNoCacheParameter'] = true;
// Enforcing HTTP 404 error response in case of invalud `&cHash=` value
// (like in `https://example.org/?parameter=value&cHash=wrong`).
$GLOBALS['TYPO3_CONF_VARS']['FE']['pageNotFoundOnCHashError'] = true;

Credits

Credits go to Robert Vock, Oliver Thiele, Benjamin Robinson and Christoph Werner who reported the issue.

General Advice

Follow the recommendations given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.