TYPO3 is "a free Open Source content management system for enterprise purposes on the web and in intranets. It offers full flexibility and extendability while featuring an accomplished set of ready-made interfaces, functions and modules".
In version 4.0 and above, Typo3 includes a sysext named rtehtmlarea. The extension can optionally also be installed on Typo3 versions below 4.0. The RTE HTML Editor allows spell checking, for which it uses the command line tool 'aspell'. When this program is called, unvalidated user input is used as argument to the system call. Login to the backend is /not/ required to exploit this vulnerability.
This allows an attacker to execute arbitrary commands on the target system.
Vulnerable Systems:
* Typo3 versions 4.0.0 - 4.0.3
* Typo3 versions 3.7 and 3.8 with rtehtmlarea extension
* Typo3 version 4.1beta
Immune Systems:
* Typo3 version 4.0.4
The affected script resides in /typo3/sysext/rtehtmlarea/htmlarea/plugins/SpellChecker/spell-check-logic.php which calls the vulnerable script /typo3/sysext/rtehtmlarea/pi1/class.tx_rtehtmlarea_pi1.php. It requires a GET parameter id with the pageid of an existing page. When the POST parameter cmd is set to learn, the parameter userUid is not validated and can be used by an attacker to inject code.
