DELTA OBSCURA

We are the team behind Mission Cyber Sentinel, a mission dedicated to securing 446,000 digital assets globally.

GitHub

Typo3 CMS - v13.4.11 - Unrestricted File Upload

By 0xhamy 04:30 AM - September 29th 2025
Type software
Product Environment web
Product Name Typo3 CMS
Product Vendor Typo3 Association
Product Version 13.4.11
Product Link https://github.com/TYPO3/typo3
Vulnerability Name Unrestricted File Upload
Severity Medium
CVSS String CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
CVSS Score 5.4
CVE ID CVE-2025-47939
Vendor Acknowledgement Yes
Affected digital Assets 198333
Affected Users 19833300
Date of Reporting Feb 19, 2025
PoC Exploit -
Credit 0xhamy

Description

TYPO3 permits site editors with filelist permissions to upload restricted file types, such as .exe executables, bypassing intended safeguards. These files can then be directly served to end users, turning the platform into a vector for malware distribution. Furthermore, attackers can upload .html files containing a <meta> refresh directive to automatically trigger downloads of these executables, enabling drive-by malware attacks without user interaction. Although Content Security Policy (CSP) blocks JavaScript-based exploits, this HTML-based bypass remains effective.

Reproduce

  1. Log in to the TYPO3 backend as an editor with filelist permissions.

  2. Navigate to the file management module:
    https://t3example.ddev.site/typo3/module/file/list?id=1

  3. Click "Upload Files" and select an .exe file (e.g., shell.exe) to upload it to the fileadmin directory.

  4. Create and upload a new file.html file in the same directory with the following content:

    <meta http-equiv="refresh" content="1;url=https://t3example.ddev.site/fileadmin/shell.exe">

  5. Access the uploaded HTML file:
    https://t3example.ddev.site/fileadmin/file.html
    The browser will automatically redirect and initiate a silent download of the .exe file.

Recommendation

  • Configure Allowed File Extensions: Utilize the new configuration option $GLOBALS['TYPO3_CONF_VARS']['SYS']['miscfile_ext'] to explicitly define permitted extensions beyond the default text and media groups (e.g., add archive formats like zip or xz if needed). This helps restrict uploads to safe types only.

  • Enable Security Feature Flags:

    • security.system.enforceAllowedFileExtensions: Enforces the defined list of allowed extensions. This is enabled by default in new TYPO3 installations but disabled in existing ones to avoid disruptions—activate it manually for upgrades.
    • security.system.enforceFileExtensionMimeTypeConsistency: Validates that a file's extension matches its actual MIME type for added integrity checks. This is enabled by default.

  • General Recommendations: Update to the latest TYPO3 version, review and audit file permissions regularly, and implement server-level restrictions (e.g., via .htaccess or web server configs) to block execution or serving of dangerous file types. Monitor upload logs for suspicious activity.