CVE-2021-21355
📋 TL;DR
This vulnerability allows unauthenticated attackers to upload arbitrary files with any extension to TYPO3 CMS servers. It affects TYPO3 installations using Extbase MVC framework with FileReference domain models that don't implement custom type converters. Attackers can upload malicious files that may be directly accessible.
💻 Affected Systems
- TYPO3 CMS
📦 What is this software?
Typo3 by Typo3
Typo3 by Typo3
Typo3 by Typo3
Typo3 by Typo3
⚠️ Risk & Real-World Impact
Worst Case
Attackers upload web shells or malicious scripts, gain remote code execution, and compromise the entire server.
Likely Case
Attackers upload malicious files (PHP scripts, HTML pages with XSS) that get stored in accessible directories, enabling website defacement, data theft, or further attacks.
If Mitigated
With proper file extension filtering and directory restrictions, impact is limited to storage consumption and potential information disclosure through filename guessing.
🎯 Exploit Status
Exploitation requires finding vulnerable extensions using FileReference models. Public advisories provide technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: TYPO3 8.7.40, 9.5.25, 10.4.14, 11.1.1
Vendor Advisory: https://typo3.org/security/advisory/typo3-core-sa-2021-002
Restart Required: No
Instructions:
1. Identify your TYPO3 version. 2. Update to the patched version matching your branch (8.7.x, 9.5.x, 10.4.x, or 11.1.x). 3. Clear caches after update.
🔧 Temporary Workarounds
Restrict file upload directories
allConfigure web server to block execution in /fileadmin/user_upload/ directory
For Apache: Add 'php_flag engine off' to .htaccess in upload directory
For Nginx: Add 'location ~ \.php$ { deny all; }' for upload directory
Implement custom file type validation
allAdd custom type converter for FileReference models to enforce mime-type validation
🧯 If You Can't Patch
- Disable or audit all extensions using FileReference domain models with Extbase MVC
- Implement web application firewall rules to block suspicious file uploads
🔍 How to Verify
Check if Vulnerable:
Check TYPO3 version in Admin Tools > System or via composer show typo3/cmsCheck Version:
composer show typo3/cms | grep versionVerify Fix Applied:
Confirm version is 8.7.40+, 9.5.25+, 10.4.14+, or 11.1.1+📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /fileadmin/user_upload/
- Files with unexpected extensions being uploaded
Network Indicators:
- POST requests to TYPO3 endpoints with file uploads
- Subsequent requests to uploaded files in user_upload directory
SIEM Query:
source="web_logs" AND (uri_path="/fileadmin/user_upload/*" AND method="POST") OR (uri_path="/fileadmin/user_upload/*.php" AND method="GET")🔗 References
- https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-2r6j-862c-m2v2
- https://packagist.org/packages/typo3/cms-form
- https://typo3.org/security/advisory/typo3-core-sa-2021-002
- https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-2r6j-862c-m2v2
- https://packagist.org/packages/typo3/cms-form
- https://typo3.org/security/advisory/typo3-core-sa-2021-002
