CVE-2013-4320

Vulnerability

The File Abstraction Layer (FAL) in TYPO3 versions 6.0.0 through 6.0.8 and 6.1.0 through 6.1.3, as well as the development branch up to 6.2, does not properly enforce permission checks for file actions (copy, delete, move, etc.) and file mount restrictions [1][2]. The permission handling that was intended to restrict editors to certain file actions and locations was only partially implemented when FAL was introduced, allowing users to bypass these controls by crafting specific URLs [2].

Exploitation

An attacker must have a valid authenticated backend user account. By crafting a specially formed URL, the attacker can bypass file mount boundaries and file action permissions, enabling them to read or create files outside their allowed scope [2]. No additional privileges or user interaction beyond authentication are required.

Impact

Successful exploitation allows the attacker to read arbitrary files (including sensitive configuration files) and create arbitrary files anywhere on the filesystem that the web server can access [1][2]. This compromises confidentiality and integrity, potentially leading to further system compromise, though remote code execution is not directly achieved through this vulnerability alone.

Mitigation

TYPO3 released versions 6.0.9 and 6.1.4 on September 4, 2013, which fix the permission bypass [2]. Administrators must update to these versions and clear all caches (either via the backend or by deleting the typo3temp/Cache directory) for the changes to take effect [2]. As a workaround, administrators can use User TSConfig to set file permissions instead of relying on the checkboxes in user or group records, which provides more granular control [2]. This vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.