TYPO3. Everything around security

Last modified:

General

In these times of digital transformation, websites are becoming increasingly important as a medium for information, transactions and presentation. At the same time, legislators have created strict rules for handling personal data in recent years.

 

Consequently, website outages and hacker attacks entail not only high economic but also legal risks:

  • Data misuse: The misuse of data by third parties causes image damage and can result in very high fines under the General Data Protection Regulation(GDPR).
  • Server abuse: Websites infected by viruses are often abused for third-party purposes (e.g. search engine spamming, "cryptojacking", DDoS attacks, etc.). They can cause liability damage as well as ranking losses up to blacklisting in search engines..
  • Data loss/dysfunctionality: As a rule, backups protect against the accidental or intentional loss of data. However, since a virus attack usually always becomes apparent much later, it may be that even backups made in the past no longer provide a remedy. In the worst case, the website has to be completely redeveloped.

In this article we would like to point out measures that minimize the above mentioned risks. 


Organizational

In the TYPO3 Association a dedicated Security Team is responsible for monitoring and controlling security related issues and problems around TYPO3.

 

It is definitely recommended to follow the team's releases via the channels email distribution list and Twitter account(@typo3_security).

At  https://typo3.org/help/security-advisories/ you can find a list of all known security vulnerabilities as well as corresponding recommendations for action, which are published as so-called "security bulletins".

Security Bulletins

There are three types of bulletins("Security Bulletins") that are published with a unique identifier:

 

  •     TYPO3-CORE-SA-yyy-nnn for bulletins concerning the TYPO3 core
  •     TYPO3-EXT-SA-yyy-nnn for bulletins that apply to TYPO3 extensions
  •     TYPO3-PSA-yyyy-nnn for Public Service Announcements

Where yyyy is the corresponding year of release and nnn is a sequential number.

Public Service Anouncements

Security-relevant information that does not directly affect the source code of TYPO3 or extensions is published as so-called Public Service Announcements. These include problems with third party software like Apache, PHP or mySQL.

Severity

Severity is an indicator of the urgency of a vulnerability:

Severity Meaning
Critical highest level of urgency requiring immediate action
High second-highest level, need for action as soon as possible
Medium your installation is not necessarily affected, nevertheless update should be done
Low the installation is only affected under certain - rather unlikely - circumstances. In this case, too, we recommend an update.

Why is it important to always install the latest security update?
TYPO3 is a open source code system. By comparing the old version and the new version, hackers can very quickly see what changes have been made. In this way, the vulnerability of the old version then also becomes visible.
Therefore, one of the most important rules in terms of safety:

Always keep the system up to date with the latest security patch. 


Installation

Install the code directly from get.typo3.org. Avoid supposedly simpler third-party installation packages. Compare the hash value of the downloaded file with the one published on the official website.

 

Only the user (e.g. "apache") under which the web server is running should have read and write permissions. Programmers/administrators should be given appropriate rights through a group assignment. Basically the write permissions for the directories "fileadmin", "typo3conf" and "typo3temp" are sufficient.

 

The file typo3conf/LocalConfiguration.php is the most important configuration file in TYPO3. It should not be readable (because database access data is contained here in plain text) or writable (because a change of the installtool password and thus the creation of an admin account is possible) by unauthorized persons.

.

Only selected administrators should have so-called "maintainer rights" to use the installtool.

Editors should generally not have ftp/ssh/scp access to the web server.


Under the item "Reports" in the TYPO3 backend there is a section "Security", which should be completely set to green.

 

Server Response on static files
This is a common warning message that is often displayed after a standard installation. This describes the possibility to upload files with the syntax "maliciouscode.html.txt" (or "maliciouscode.svg.txt") with the TYPO3 file manager. Some web servers treat these files as HTML files because they contain the string ".html". 
Since html and svg files can contain malicious code, it is possible for editors to subvert the system in this way. We describe in a separate article about server response on static files how you can fix this problem..

 

Log

Under "Log" important events in TYPO3 are logged. This includes system errors, also login attempts, editorial actions, file uploads and much more.


This log is therefore an important tool for ongoing system monitoring:


Email notifications

In TYPO3 there are some possibilities to be informed about system changes or other events by mail.

 

Monitor system settings automatically

You can use the "System Status Update" scheduler task to monitor the system environment automatically. In case of errors/warnings (or if desired basically) a mail will be sent to the address stored in the task definition.

Log logins

Let you be notified by mail when a user("1") or at least administrator("2") logs in:

 

$GLOBALS['TYPO3_CONF_VARS']['BE']['warning_mode’] = 1 oder 2
$GLOBALS['TYPO3_CONF_VARS']['BE']['warning_email_addr’] = <MAILADRESSE>

 

(Both values can be set via the install tool).

Editors can also be notified via their personal settings (see switch "Notify me by email when somebody logs in from my account") when somebody logs in via their account.

Failed login attempts

You can manually track failed login attempts by setting the "Action" filter field to "Login" under "Reports" and specifying the desired time period:


Additional measures

The following are additional measures that further increase the protection of your TYPO3 system:

Multifactor authentication

As of TYPO3 v11, it is possible to allow backend users to access the backend only via multi-factor authentication.
Access to the backend.
More info in our article on multifactor authentication with TYPO3.

Anonymize log data

Anonymize the data in the sys_log table using the scheduler(Task " Anonymize IP addresses in database tables")


Using HTTP Security Header

Using HTTP Security Headers is another way to make your website more secure. The headers instruct browsers, for example, to make server requests only via "https"( "HTTP Strict Transport Security response header" or HSTS for short), prevent and avoid attacks through cross site scripting, MIME sniffing and clickjacking, among other things.

You can test whether your website is adequately protected with these headers at https://securityheaders.com.

You can find a simple solution for setting the HTTP Security Header in our DSGVO article.


Disable "Plain HTML" content element

In TYPO3 there is the possibility to output HTML(and therefore also svg/JavaScript) code as content element on a page. You should disable this feature at least for editors via the "Access Lists" in the settings of the user(or better the group)

Prevent uploading of HTML, JavaScript, and SVG files

HTML, JavaScript and SVG files may contain malicious code. The possibility of uploading such files via the file manager should therefore be prevented if possible.

Table Garbage Collection

Delete regularly via the scheduler-Task Table Garbage Collection die Tabellen syslog und sys_history
If you - like most - use the extension powermail , also delete the tables tx_powermail_domain_model_mail and tx_poswer,ail_domain_model_answer.

 


Backup strategy

An important part of keeping a website running as smoothly as possible is keeping a backup.

 

Komponenten eines TYPO3 Backups

Das Backup einer TYPO3 Installation umfasst zwei Komponenten

1. Files
Decisive are usually the two directories:

<WEBROOT>/fileadmin
<WEBROOT>/typo3conf

These are standard directories that can also be located elsewhere in special cases. "typo3conf", for example, can be located outside the webroot path for security reasons. "fileadmin" may be named differently or there may be other directories ("file mounts").

2. Database
TYPO3 needs a database, which of course also has to be backed up.

Backup test
To ensure that backups are complete and can be restored without problems, they should be tested. In practice, it is often a good idea to restore a backup in a second environment and then use this as a test environment at the same time for tasks that are not to be performed immediately in the live system (such as security update, template changes, etc.).

Further notes

Backups should not be kept (only) locally. We have developed our own backup script that allows mirroring backups to other servers.

Keep in mind that backups may contain personal data as defined by the GDPR and take appropriate protection measures, such as encryption and password protection.

Backup intervals

Since potential functional errors, data loss, and/or corrupt code are detected late in most cases, backups should be available over a longer period of time, not just from the previous day.

We recommend the following backup intervals:

  • Make a daily backup
  • Keep a backup of the last 7 days
  • Keep a backup of the last month
  • Keep a backup of the last half year
  • Keep a backup of the last 12 months

TYPO3 Support

You need support for the secure operation of your TYPO3 installation(s)? As a TYPO3 agency with certified developers we are happy to support you and offer profeesional TYPO3 support. We are looking forward to your contact us.