Information disclosure, identity theft, SQL injection, Code injection, Authentication bypass, Cross site scripting and Cross request forgery. Typo3 has released the web application security guide for website owners and below is the detail discussion on the common and most dangerous web application vulnerabilities.
7 Most Common Web Application Vulnerabilities
This means that the system will (under certain circumstances) make information available to an outside person that might use it to craft an attack against the system. Such information includes details of the file system structure or details about the installed software, such as configuration options or version numbers. An attacker could gain important information about the system configuration that makes an attack possible.
There is a fine line between the protection against information disclosure and so called “security by obscurity”. Latter means, that system administrators or developers try to protect their infrastructure or software by hiding or obscuring it. An example would be to not reveal that TYPO3 is used as the content management system or a specific version of TYPO3 is used. Security experts say, that “security by obscurity” is not security, simply because it does not solve the root of a problem (e.g. a security vulnerability) but tries to obscure the facts only.
Under certain conditions it may be possible that the system reveals personal data, such as customer lists, e-mail addresses, passwords, order history or financial transactions. This information can be used by criminals for fraud or financial gains. The server running a TYPO3 website should be secured so that no data can be retrieved without the consent of the owner of the website.
With SQL injection the attacker tries to submit modified SQL statements to the database server in order to get access to the database. This could be used to retrieve information such as customer data or user passwords or even modify the database content such as adding administrator accounts to the user table. Therefore it is necessary to carefully analyze and filter any parameters that are used in a database query.
Similar to SQL injection described above, “code injection” includes commands or files from remote instances (RFI: Remote File Inclusion) or from the local file system (LFI: Local File Inclusion). The fetched code becomes part of the executing script and runs in the context of the TYPO3 site (so it has the same access privileges on a server level). Both attacks, RFI and LFI, are often triggered by improper verification and neutralization of user input.
Local file inclusion can lead to information disclosure (see above), for example reveal system internal files which contain configuration settings, passwords, encryption keys, etc.
In an authorization bypass attack, the cracker exploits vulnerabilities in poorly designed applications or login forms (e.g. client-side data input validation). Authentication modules shipped with the TYPO3 core are well-tested and reviewed. However, due to the open architecture of TYPO3, this systems can be extended by alternative solutions. The code quality and security aspects may vary, see chapter “Guidelines for TYPO3 Integrators: TYPO3 extensions” for further details.
In this type of attack unauthorized commands are sent from a user a website trusts. Consider an editor that is logged in to an application (like a CMS or online banking service) and therefore is authorized in the system. The authorization may be stored in a session cookie in the browser of the user. An attacker might send an e-mail to the person with a link that points to a website with prepared images. When the browser is loading the images, it might actually send a request to the system where the user is logged in and execute commands in the context of the logged-in user.